Published: 23/06/2022 Updated: 23/06/2022

Vulnerability Summary

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Github Repositories

CVE-2022-22980 Poc of CVE-2022-22980

spring-data-mongodb-cve-2022-22980-exp 鸡肋漏洞,只是记录。 启动redis,27017端口 启动项目,springboot启动在6666端口 GET /v1/user/get?username=T(javalangRuntime)getRuntime()exec('open+-a+calculatorapp') HTTP/11 Host: localhost:6666 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=09,en;q=08 User-Agent: Mozil

[CVE-2022-22980] Spring Data MongoDB SpEL Expression Injection MongoDB is a document-oriented NoSQL database with the scalable and flexible that used for high volume data storage Instead of using tables and rows as in the traditional relational databases, MongoDB makes use of collections and documents Documents consist of key-value pairs which are the basic unit of data in M