38 matches found
This Week in Spring - July 26th, 2022
Aloha, Spring fans! Im on vacation, reporting to you from the paradise-like island of Maui, Hawaii, and hoping that youre having a wonderful day! My family and I love Hawaii. Its brimming with beauty and serenity, and while the island of Maui, in the state of Hawaii, is very small, the islands ar...
CVE-2022-22980
A flaw was found in the Spring Data MongoDB. This flaw allows an attacker to perform code injection when an application uses some annotations/query methods with Spring Expression Language SpEL expressions...
ai.platon.commons:distributed-lock-example (>=1.4.2 <=1.4.3), ai.platon.commons:distributed-lock-mongo (>=1.4.2 <=1.4.3) +1242 more potentially affected by CVE-2022-22980 via org.springframework.data:spring-data-mongodb (>=1.0.0.RELEASE <=3.3.4)
org.springframework.data:spring-data-mongodb MAVEN version =1.0.0.RELEASE, =1.4.2, =1.4.2, =1.6.6, =1.6.6, =0.0.1, =0.0.1, =0.9.1, =0.1.0, =0.1.0, =3.0.0.RELEASE, =1.1.13, =2.0.2 and more Source cves: CVE-2022-22980 Source advisory: OSV:GHSA-W24X-87MR-4R23...
cn.airfei.air-core:core (=3.0.0), com.alpactech:mt-mongo (=1.0.0) +40 more potentially affected by CVE-2022-22980 via org.springframework.data:spring-data-mongodb (=3.4.0)
org.springframework.data:spring-data-mongodb MAVEN version =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.data:spring-data-mongodb and may be impacted: - cn.airfei.air-core:core =3.0.0 - com.alpactech:mt-mongo =1.0.0 -...
GHSA-W24X-87MR-4R23 SpEL Injection in Spring Data MongoDB
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
SpEL Injection in Spring Data MongoDB
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
CVE-2022-22980
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
CVE-2022-22980
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
Sql injection
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
Update on Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)
Background On June 20, 2022 Spring released Spring Data MongoDB 3.4.1 and 3.3.5 to address a critical CVE report: CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods. This vulnerability was originally reported on June 13, 2022...
Spring Data MongoDB 安全漏洞
Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A security vulnerability exists in Spring Data MongoDB that stems from vulnerability to SpEL injection when using @Query or...
The vulnerability of software for unifying and simplifying access to Spring Data MongoDB databases, related to errors in processing SpEL expressions, allows a perpetrator to execute arbitrary code.
The vulnerability of the software for unifying and simplifying access to Spring Data MongoDB databases is related to errors in processing SpEL expressions. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially crafted SpEL query...
CVE-2022-22980
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
CVE-2022-22980
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...
CVE-2022-22980
CVE-2022-22980 is a SpEL injection flaw in Spring Data MongoDB where @Query/@Aggregation queries containing parameter placeholders can be exploited if input isn’t sanitized. Public advisories (VMware/Spring/TENABLE, IBM, Red Hat, OSV) confirm remote code execution risk and provide fixes: upgrade ...
SpEL Injection Attacks
spring-data-mongodb is vulnerable to Spring Expression Language SpEL injection. The vulnerability exists due to the non-sanitized input in the repository query method, allowing an attacker to inject and execute malicious SpEL to the repository query method when it is annotated with @Query or...
Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)
Updates 06-20 CVE-2022-22980 is published 06-20 Spring Data MongoDB 3.4.1 and 3.3.5 are available Table of Contents Overview Vulnerability Am I Impacted Status Suggested Workarounds Overview We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the followi...
Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. Specifically, an application is vulnerable when all of the...