CVE-2022-22980

Summary

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Affected Software

VendorProductVersion RangeStatus
n/aSpring Data MongoDB3.4.0, 3.3.0 to 3.3.4 and Olderaffected

Weaknesses

  • Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

ADP Enrichment

CVE Program Container

Additional References

References