VMware offers training and certification to turbo-charge your progress.Learn more
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
Specifically, an application is vulnerable when all of the following are true:
An application is not vulnerable if any of the following is true:
Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.
Other mitigation steps:
Releases that have fixed this issue include:
This issue was identified and responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab.