CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

HIGH | JUNE 20, 2022 | CVE-2022-22980

Description

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Specifically, an application is vulnerable when all of the following are true:

A repository query method is annotated with @Query or @Aggregation
The annotated query or aggregation value/pipeline contains SpEL parts using the parameter placeholder syntax within the expression
The user supplied input is not sanitized by the application

An application is not vulnerable if any of the following is true:

The annotated repository query or aggregation method does not contain expressions
The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression
The user supplied input is sanitized by the application
The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

Affected Spring Products and Versions

Spring Data MongoDB
- 3.4.0
- 3.3.0 to 3.3.4
- Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.

Other mitigation steps:

Rewrite query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression
Sanitize parameters before calling the query method
Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider

Releases that have fixed this issue include: