VMware offers training and certification to turbo-charge your progress.Learn more
We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:
This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13 2022. The full report will be published to MITRE and as security advisory under tanzu.vmware.com/security in the upcoming days.
The vulnerability affects Spring Data MongoDB applications using repository query methods that are annotated with
@Aggregation and use parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method.
These are the necessary conditions for the specific vulnerability:
@Aggregationthat make use of SpEL (Spring Expression Language) and use input parameter references (
?1, …) within the SpEL expression
[…]) does not create a vulnerability and is a recommended workaround if you cannot upgrade to a version that contains the fix
The preferred response is to update to Spring Data MongoDB 3.4.1 and 3.3.5 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is impossible to do quickly. For that reason, we have provided some workarounds below.
Please note that workarounds are not necessarily mutually exclusive since security is best done "in-depth".
If your application requires dynamic SpEL expressions that are controlled by user input, then referencing SpEL arguments using the array syntax
 is a safe way to access SpEL arguments.
Replacing the SpEL expression with a custom repository method implementation is a viable workaround to assemble your dynamic query within the application code. Refer to the reference documentation on repository customization for further details.