org.springframework.data:spring-data-mongodb@1.6.1.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.data:spring-data-mongodb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
SpEL Expression injection

Affected versions of this package are vulnerable to SpEL Expression injection when using @Query or @Aggregation-annotated query methods with SpEL expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.

Notes:

Applications are not affected if one of the followings is true:

  1. The annotated repository query or aggregation method does not contain expressions

  2. The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression

  3. The user-supplied input is sanitized by the application

  4. The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

How to fix SpEL Expression injection?

Upgrade org.springframework.data:spring-data-mongodb to version 3.3.5, 3.4.1 or higher.

[,3.3.5) [3.4.0,3.4.1)