Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)

Updates

• [06-20] CVE-2022-22980 is published
• [06-20] Spring Data MongoDB3.4.1and3.3.5 are available

Table of Contents

• Overview
• Vulnerability
• Am I Impacted
• Status
• Suggested Workarounds

Overview

We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:

• CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13 2022. The full report will be published to MITRE and as security advisory under tanzu.vmware.com/security in the upcoming days.

Vulnerability

The vulnerability affects Spring Data MongoDB applications using repository query methods that are annotated with @Query or @Aggregation and use parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method.

Am I Impacted?

These are the necessary conditions for the specific vulnerability:

• Declaration of repository query methods annotated with @Query or @Aggregation that make use of SpEL (Spring Expression Language) and use input parameter references (?0, ?1, …) within the SpEL expression
• spring-data-mongodb dependency
• Spring Data MongoDB 3.4.0, 3.3.0 to 3.3.4, and older versions

Additional Notes

• The issue relates to repository query method invocation to assemble the MongoDB query using expressions. The vulnerability occurs during query assembly and does not require the query to be executed for exploitation.
• Referencing SpEL arguments through the array-syntax ([0], [1], […]) does not create a vulnerability and is a recommended workaround if you cannot upgrade to a version that contains the fix
• The vulnerability can only be exploited if an application invokes the query method with non-sanitized user input. Alternatively, arrangements that expose repository query methods without involving additional application code (such as Spring Data REST) are vulnerable as well.

Status

• Spring Data MongoDB 3.4.1 and 3.3.5, which contain the fixes, have been released.

Suggested Workarounds

The preferred response is to update to Spring Data MongoDB 3.4.1 and3.3.5 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is impossible to do quickly. For that reason, we have provided some workarounds below.

• Using Array Syntax
• Implementing a custom repository method

Please note that workarounds are not necessarily mutually exclusive since security is best done "in-depth".

Using Array Syntax

If your application requires dynamic SpEL expressions that are controlled by user input, then referencing SpEL arguments using the array syntax [0] is a safe way to access SpEL arguments.

Implementing a custom repository method

Replacing the SpEL expression with a custom repository method implementation is a viable workaround to assemble your dynamic query within the application code. Refer to the reference documentation on repository customization for further details.