CVE-2022-22980
SpEL Injection vulnerability in spring-data-mongodb (Maven)
What is CVE-2022-22980 About?
This vulnerability is a SpEL (Spring Expression Language) Injection affecting Spring Data MongoDB applications that use `@Query` or `@Aggregation`-annotated query methods with SpEL expressions containing parameter placeholders. Its impact enables attackers to execute arbitrary code or commands on the system. Exploitation requires sending specially crafted query parameters to a vulnerable application.
Affected Software
- org.springframework.data:spring-data-mongodb
- >3.4.0, <3.4.1
- <3.3.5
Technical Details
The vulnerability is a SpEL Injection that occurs in Spring Data MongoDB applications. Specifically, it affects applications that utilize @Query or @Aggregation-annotated query methods. The critical flaw is that these methods, when designed to incorporate SpEL expressions with query parameter placeholders for value binding, do not properly sanitize the input corresponding to these placeholders. An attacker can inject malicious SpEL expressions into these query parameters. When the application then attempts to resolve the query, the injected SpEL expression is evaluated within the context of the running application, potentially allowing the attacker to execute arbitrary Java code or system commands, access application beans, or manipulate data in unintended ways. The mechanism involves the framework incorrectly trusting and evaluating untrusted user input as part of a SpEL expression.
What is the Impact of CVE-2022-22980?
Successful exploitation may allow attackers to execute arbitrary commands, access sensitive data, or perform unauthorized actions on the underlying system through crafted SpEL expressions.
What is the Exploitability of CVE-2022-22980?
Exploitation of this SpEL Injection vulnerability typically involves crafting malicious input that will be passed as a query parameter to a Spring Data MongoDB application. The complexity level can be moderate, as it requires knowledge of SpEL syntax and the application's query structure. Authentication requirements depend on whether the vulnerable endpoint is protected; if the endpoint is publicly accessible, no authentication is needed. Privilege requirements are also determined by the access level of the application process itself, as the injected SpEL expressions will execute with those privileges. This is a remote vulnerability, as an attacker can send malicious HTTP requests with crafted query parameters. The special condition is the use of @Query or @Aggregation-annotated methods with SpEL expressions and parameter placeholders that bind values directly from unsanitized user input. The existence of a proof-of-concept indicates that the attack vector is understood and demonstrably exploitable, increasing the likelihood of successful attacks. Risk factors include web applications exposing such vulnerable query methods directly to external users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| trganda | Link | Poc of CVE-2022-22980 |
| kuron3k0 | Link | CVE-2022-22980环境 |
| li8u99 | Link | CVE-2022-22980环境 |
What are the Available Fixes for CVE-2022-22980?
Available Upgrade Options
- org.springframework.data:spring-data-mongodb
- <3.3.5 → Upgrade to 3.3.5
- org.springframework.data:spring-data-mongodb
- >3.4.0, <3.4.1 → Upgrade to 3.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2022-22980?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-22091 , CVE-2020-13936 , CVE-2021-22064 , CVE-2020-5407
