GHSA-w24x-87mr-4r23
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w24x-87mr-4r23
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-w24x-87mr-4r23/GHSA-w24x-87mr-4r23.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w24x-87mr-4r23
- Aliases
- Published
- 2022-06-24T00:00:30Z
- Modified
- 2023-11-08T04:08:15.609840Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- SpEL Injection in Spring Data MongoDB
- Details
-
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2022-06-25T07:21:52Z", "nvd_published_at": "2022-06-23T17:15:00Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-917" ] }- References
Affected packages
Maven / org.springframework.data:spring-data-mongodb
Package
- Name
- org.springframework.data:spring-data-mongodb
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.data/spring-data-mongodb
Maven / org.springframework.data:spring-data-mongodb
Package
- Name
- org.springframework.data:spring-data-mongodb
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.data/spring-data-mongodb
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3.5
Affected versions
1.*
1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.0.3.RELEASE
1.0.4.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.2.0.RELEASE
1.2.1.RELEASE
1.2.2.RELEASE
1.2.3.RELEASE
1.2.4.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.3.5.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.5.0.RELEASE
1.5.1.RELEASE
1.5.2.RELEASE
1.5.4.RELEASE
1.5.5.RELEASE
1.5.6.RELEASE
1.6.0.RELEASE
1.6.1.RELEASE
1.6.2.RELEASE
1.6.3.RELEASE
1.6.4.RELEASE
1.7.0.RELEASE
1.7.1.RELEASE
1.7.2.RELEASE
1.8.0.RELEASE
1.8.1.RELEASE
1.8.2.RELEASE
1.8.4.RELEASE
1.8.5.RELEASE
1.8.6.RELEASE
1.9.0.RELEASE
1.9.1.RELEASE
1.9.2.RELEASE
1.9.3.RELEASE
1.9.4.RELEASE
1.9.5.RELEASE
1.9.6.RELEASE
1.9.7.RELEASE
1.9.8.RELEASE
1.9.9.RELEASE
1.9.10.RELEASE
1.9.11.RELEASE
1.10.0.RELEASE
1.10.1.RELEASE
1.10.2.RELEASE
1.10.3.RELEASE
1.10.4.RELEASE
1.10.5.RELEASE
1.10.6.RELEASE
1.10.7.RELEASE
1.10.8.RELEASE
1.10.9.RELEASE
1.10.10.RELEASE
1.10.11.RELEASE
1.10.12.RELEASE
1.10.13.RELEASE
1.10.14.RELEASE
1.10.15.RELEASE
1.10.16.RELEASE
1.10.17.RELEASE
1.10.18.RELEASE
1.10.20.RELEASE
1.10.21.RELEASE
1.10.22.RELEASE
1.10.23.RELEASE
2.*
2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
2.0.7.RELEASE
2.0.8.RELEASE
2.0.9.RELEASE
2.0.10.RELEASE
2.0.11.RELEASE
2.0.12.RELEASE
2.0.13.RELEASE
2.0.14.RELEASE
2.1.0.RELEASE
2.1.1.RELEASE
2.1.2.RELEASE
2.1.3.RELEASE
2.1.4.RELEASE
2.1.5.RELEASE
2.1.6.RELEASE
2.1.7.RELEASE
2.1.8.RELEASE
2.1.9.RELEASE
2.1.10.RELEASE
2.1.11.RELEASE
2.1.12.RELEASE
2.1.13.RELEASE
2.1.14.RELEASE
2.1.15.RELEASE
2.1.16.RELEASE
2.1.17.RELEASE
2.1.18.RELEASE
2.1.19.RELEASE
2.1.20.RELEASE
2.1.21.RELEASE
2.2.0.RELEASE
2.2.1.RELEASE
2.2.2.RELEASE
2.2.3.RELEASE
2.2.4.RELEASE
2.2.5.RELEASE
2.2.6.RELEASE
2.2.7.RELEASE
2.2.8.RELEASE
2.2.9.RELEASE
2.2.10.RELEASE
2.2.11.RELEASE
2.2.12.RELEASE
2.2.13.RELEASE
3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.0.8.RELEASE
3.0.9.RELEASE
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4