CVE-2022-22980
- Source
- https://cve.org/CVERecord?id=CVE-2022-22980
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22980.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-22980
- Aliases
- Published
- 2022-06-23T17:15:12.120Z
- Modified
- 2026-02-13T08:48:07.878225Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
- References
Affected packages
Git / github.com/spring-projects/spring-data-mongodb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/spring-projects/spring-data-mongodb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
1.*
1.0.0.M1-MongoDB
1.0.0.M2-MongoDB
1.0.0.M3-MongoDB
1.0.0.M4-MongoDB
1.0.0.M5-MongoDB
1.0.0.RC1-MongoDB
1.0.0.RELEASE
1.1.0.M1
1.1.0.M2
1.1.0.RC1
1.1.0.RELEASE
1.1.1.RELEASE
1.10.0.M1
1.2.0.RELEASE
1.3.0.M1
1.3.0.RC1
1.3.0.RELEASE
1.4.0.M1
1.4.0.RC1
1.4.0.RELEASE
1.5.0.M1
1.5.0.RC1
1.5.0.RELEASE
1.6.0.M1
1.6.0.RC1
1.6.0.RELEASE
1.7.0.M1
1.7.0.RC1
1.7.0.RELEASE
1.8.0.M1
1.8.0.RC1
1.8.0.RELEASE
1.9.0.M1
1.9.0.RC1
1.9.0.RELEASE
2.*
2.0.0.M1
2.0.0.M2
2.0.0.M3
2.0.0.M4
2.0.0.RC1
2.0.0.RC2
2.0.0.RC3
2.0.0.RELEASE
2.1.0.M1
2.1.0.M2
2.1.0.M3
2.1.0.RC1
2.1.0.RC2
2.1.0.RELEASE
2.2.0.M1
2.2.0.M2
2.2.0.M3
2.2.0.M4
2.2.0.RC1
2.2.0.RC2
2.2.0.RC3
2.2.0.RELEASE
3.*
3.0.0.M1
3.0.0.M2
3.0.0.M3
3.0.0.M4
3.0.0.RC1
3.0.0.RC2
3.0.0.RELEASE
3.1.0
3.1.0-M1
3.1.0-M2
3.1.0-RC1
3.1.0-RC2
3.2.0
3.2.0-M1
3.2.0-M2
3.2.0-M3
3.2.0-M4
3.2.0-M5
3.2.0-RC1
3.3.0
3.3.0-M1
3.3.0-M2
3.3.0-M3
3.3.0-RC1
3.3.1
3.3.2
3.3.3
3.3.4