Headline
GHSA-w24x-87mr-4r23: SpEL Injection in Spring Data MongoDB
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
Package
maven org.springframework.data:spring-data-mongodb (Maven)
Affected versions
= 3.4.0
< 3.3.5
Patched versions
3.4.1
3.3.5
Related news
Spring Data MongoDB hit by another critical SpEL injection flaw
Bug mirrors recent SpEL injection vulnerability that emerged alongside ‘SpringShell’ issue
CVE-2022-22980: CVE-2022-22980 | Security
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.