What is CVE-2022-22980?

CVE-2022-22980 is a vulnerability in Spring Data Mongodb. Published 2022-06-22.

Is CVE-2022-22980 known to be exploited?

30 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Spring Data Mongodb

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

EPSS: 0.833 (99.3th percentile) — read the EPSS interpretation.

Affected products

N/a Spring Data Mongodb — versions 3.4.0, 3.3.0 to 3.3.4 and Older

Public proof-of-concept exploits

trganda/CVE-2022-22980
kuron3k0/Spring-Data-Mongodb-Example
li8u99/Spring-Data-Mongodb-Demo
jweny/cve-2022-22980
Vulnmachines/Spring_cve-2022-22980
murataydemir/CVE-2022-22980
Eliasdekiniweek/CVE-2022-22980
W01fh4cker/Serein
WhooAmii/POC_
Whoopsunix/PPPVULNS

References

tanzu.vmware.com/security/cve-2022-22980 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-22980?: CVE-2022-22980 is a vulnerability in Spring Data Mongodb. Published 2022-06-22.
Is CVE-2022-22980 known to be exploited?: 30 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.