Homepage

org.springframework.data:spring-data-mongodb@1.10.11.RELEASE vulnerabilities

  • latest version

    4.4.4

  • latest non vulnerable version

    5.0.0-M1

  • first published

    13 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.springframework.data:spring-data-mongodb package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    SpEL Expression injection

    Affected versions of this package are vulnerable to SpEL Expression injection when using @Query or @Aggregation-annotated query methods with SpEL expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.

    Notes:

    Applications are not affected if one of the followings is true:

    1. The annotated repository query or aggregation method does not contain expressions

    2. The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression

    3. The user-supplied input is sanitized by the application

    4. The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

    How to fix SpEL Expression injection?

    Upgrade org.springframework.data:spring-data-mongodb to version 3.3.5, 3.4.1 or higher.

    [,3.3.5)[3.4.0,3.4.1)
    Go back to all versions of this package