Cyber Resilience

CVE-2022-22980

CriticalRCE

Published: 23 June 2022

Published
23 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8332 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22980 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Data Mongodb. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. The issue is tracked as CVE-2022-22980, carries a CVSS 3.1 score of 9.8, and is associated with CWE-917.

An unauthenticated attacker with network access can supply crafted input that is bound into the SpEL expression, resulting in arbitrary code execution or query manipulation that affects confidentiality, integrity, and availability.

The current EPSS score stands at 0.8332 with a recorded peak of 0.8635. Additional information is published in the advisory at https://tanzu.vmware.com/security/cve-2022-22980.

EU & UK References

Vulnerability details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring data mongodb
3.4.0 · ≤ 3.3.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References