A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
2022-06-23T17:15:12.120
2024-11-21T06:47:44.063
Modified
CVSSv3.1: 9.8 (CRITICAL)
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | vmware | spring_data_mongodb | ≤ 3.3.4 | Yes |
| Application | vmware | spring_data_mongodb | 3.4.0 | Yes |