From securityonline.info
![CVE-2022-22980](https://cdn-0.securityonline.info/wp-content/uploads/2022/06/spring-data-mongodb.jpg?ezimgfmt=rs:399x313/rscb1/ng:webp/ngcb1)
Recently, VMware issued a security bulletin to disclose a SpEL Expression injection vulnerability (CVE-2022-22980) in Spring Data MongoDB. This flaw’s severity is high. The vulnerability affects Spring Data MongoDB applications using repository query methods that are annotated with @Query or @Aggregation and use parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method. This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13, 2022.