SpEL Expression injection Affecting org.springframework.data:spring-data-mongodb Open this link in a new tab package, versions [,3.3.5) [3.4.0,3.4.1)
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
21 Jun 2022
21 Jun 2022
How to fix?
org.springframework.data:spring-data-mongodb to version 3.3.5, 3.4.1 or higher.
Affected versions of this package are vulnerable to SpEL Expression injection when using
@Aggregation-annotated query methods with
SpEL expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.
Applications are not affected if one of the followings is true:
The annotated repository query or aggregation method does not contain expressions
The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression
The user-supplied input is sanitized by the application
The repository is configured to use a
If upgrading to the fixed version is not possible, the following mitigation steps should be taken:
Rewrite query or aggregation declarations to use parameter references (“” instead of “?0“) within the expression.
Sanitize parameters before calling the query method.
Reconfigure the repository factory bean through a
BeanPostProcessorwith a limited