CVE-2022-22980
Published: 23 June 2022
Summary
CVE-2022-22980 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Data Mongodb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. The issue is tracked as CVE-2022-22980, carries a CVSS 3.1 score of 9.8, and is associated with CWE-917.
An unauthenticated attacker with network access can supply crafted input that is bound into the SpEL expression, resulting in arbitrary code execution or query manipulation that affects confidentiality, integrity, and availability.
The current EPSS score stands at 0.8332 with a recorded peak of 0.8635. Additional information is published in the advisory at https://tanzu.vmware.com/security/cve-2022-22980.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6169
Vulnerability details
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.