=================================================================== CERT-Renater Note d'Information No. 2022/VULN237 _____________________________________________________________________ DATE : 06/07/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Data MongoDB versions prior to 3.4.1+, 3.3.5+. ====================================================================https://tanzu.vmware.com/security/cve-2022-22980 _____________________________________________________________________ CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods Severity High Vendor Spring by VMware Description A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. Specifically, an application is vulnerable when all of the following are true: A repository query method is annotated with @Query or @Aggregation The annotated query or aggregation value/pipeline contains SpEL parts using the parameter placeholder syntax within the expression The user supplied input is not sanitized by the application An application is not vulnerable if any of the following is true: The annotated repository query or aggregation method does not contain expressions The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression The user supplied input is sanitized by the application The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage Affected VMware Products and Versions Severity is high unless otherwise noted. Spring Data MongoDB 3.4.0 3.3.0 to 3.3.4 Older, unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions. Other mitigation steps: Rewrite query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression Sanitize parameters before calling the query method Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider Releases that have fixed this issue include: Spring Data MongoDB 3.4.1+ 3.3.5+ Credit This issue was identified and responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1 History 2022-06-20: Initial vulnerability report published. ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================