Miggo Logo
Miggo Vulnerability Database
CVE-2022-22980

CVE-2022-22980: SpEL Injection in Spring Data MongoDB

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-22980
GHSA ID
GHSA-w24x-87mr-4r23
EPSS Score
0.9936%
CWE
CWE-917
Published
6/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.data:spring-data-mongodbmaven= 3.4.03.4.1
org.springframework.data:spring-data-mongodbmaven< 3.3.53.3.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe SpEL evaluation in @Query/@Aggregation methods using parameter placeholders. Analysis of Spring Data MongoDB's query processing reveals:

  1. StringBasedMongoQuery.createQuery directly processes SpEL expressions with user parameters
  2. StringBasedAggregation.createPipeline performs similar processing for aggregations
  3. The default EvaluationContextProvider allows dangerous SpEL features These functions appear in stack traces when user input flows into SpEL evaluation through repository methods. The patched versions likely modified parameter handling in these methods to use safer [0] syntax instead of ?0 placeholders and restricted EvaluationContext.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Sprin* **t* Mon*o** *ppli**tion is vuln*r**l* to Sp*L Inj**tion w**n usin* @Qu*ry or @***r***tion-*nnot*t** qu*ry m*t*o*s wit* Sp*L *xpr*ssions t**t *ont*in qu*ry p*r*m*t*r pl****ol**rs *or v*lu* *in*in* i* t** input is not s*nitiz**.

Reasoning

T** vuln*r**ility st*ms *rom uns*** Sp*L *v*lu*tion in @Qu*ry/@***r***tion m*t*o*s usin* p*r*m*t*r pl****ol**rs. *n*lysis o* Sprin* **t* Mon*o**'s qu*ry pro**ssin* r*v**ls: *. Strin***s**Mon*oQu*ry.*r**t*Qu*ry *ir**tly pro**ss*s Sp*L *xpr*ssions wit*