CVE-2022-22980

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-22980

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22980.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-22980

Aliases

GHSA-w24x-87mr-4r23

Published

2022-06-23T17:15:12.120Z

Modified

2026-03-14T11:31:34.695549Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

References

https://tanzu.vmware.com/security/cve-2022-22980

Affected packages

Git / github.com/spring-projects/spring-data-mongodb

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-data-mongodb

Events

Introduced

Last affected

e704f147adfb4abca14fa9c8c58c4f442a1c4084

Introduced

Last affected

9cdc79a89a7d2ebfa39596753ff846629f4258b2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.4.0"
        }
    ]
}

Affected versions

1.*

1.0.0.M1-MongoDB

1.0.0.M2-MongoDB

1.0.0.M3-MongoDB

1.0.0.M4-MongoDB

1.0.0.M5-MongoDB

1.0.0.RC1-MongoDB

1.0.0.RELEASE

1.1.0.M1

1.1.0.M2

1.1.0.RC1

1.1.0.RELEASE

1.1.1.RELEASE

1.10.0.M1

1.2.0.RELEASE

1.3.0.M1

1.3.0.RC1

1.3.0.RELEASE

1.4.0.M1

1.4.0.RC1

1.4.0.RELEASE

1.5.0.M1

1.5.0.RC1

1.5.0.RELEASE

1.6.0.M1

1.6.0.RC1

1.6.0.RELEASE

1.7.0.M1

1.7.0.RC1

1.7.0.RELEASE

1.8.0.M1

1.8.0.RC1

1.8.0.RELEASE

1.9.0.M1

1.9.0.RC1

1.9.0.RELEASE

2.*

2.0.0.M1

2.0.0.M2

2.0.0.M3

2.0.0.M4

2.0.0.RC1

2.0.0.RC2

2.0.0.RC3

2.0.0.RELEASE

2.1.0.M1

2.1.0.M2

2.1.0.M3

2.1.0.RC1

2.1.0.RC2

2.1.0.RELEASE

2.2.0.M1

2.2.0.M2

2.2.0.M3

2.2.0.M4

2.2.0.RC1

2.2.0.RC2

2.2.0.RC3

2.2.0.RELEASE

3.*

3.0.0.M1

3.0.0.M2

3.0.0.M3

3.0.0.M4

3.0.0.RC1

3.0.0.RC2

3.0.0.RELEASE

3.1.0

3.1.0-M1

3.1.0-M2

3.1.0-RC1

3.1.0-RC2

3.2.0

3.2.0-M1

3.2.0-M2

3.2.0-M3

3.2.0-M4

3.2.0-M5

3.2.0-RC1

3.3.0

3.3.0-M1

3.3.0-M2

3.3.0-M3

3.3.0-RC1

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0

3.4.0-M1

3.4.0-M2

3.4.0-M3

3.4.0-M4

3.4.0-RC1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22980.json"