Spring Security Advisories

CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

HIGH | JUNE 20, 2022 | CVE-2022-22980

Description

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Specifically, an application is vulnerable when all of the following are true:

  • A repository query method is annotated with @Query or @Aggregation
  • The annotated query or aggregation value/pipeline contains SpEL parts using the parameter placeholder syntax within the expression
  • The user supplied input is not sanitized by the application

An application is not vulnerable if any of the following is true:

  • The annotated repository query or aggregation method does not contain expressions
  • The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression
  • The user supplied input is sanitized by the application
  • The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

Affected Spring Products and Versions

  • Spring Data MongoDB
    • 3.4.0
    • 3.3.0 to 3.3.4
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.

Other mitigation steps:

  • Rewrite query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression
  • Sanitize parameters before calling the query method
  • Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider

Releases that have fixed this issue include:

  • Spring Data MongoDB
    • 3.4.1+
    • 3.3.5+

Credit

This issue was identified and responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab.

History

  • 2022-06-20: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all