CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability



Recently, VMware issued a security bulletin to disclose a SpEL Expression injection vulnerability (CVE-2022-22980) in Spring Data MongoDB. This flaw’s severity is high. The vulnerability affects Spring Data MongoDB applications using repository query methods that are annotated with @Query or @Aggregation and use parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method. This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13, 2022.

Read more…