The Spring Data MongoDB SpEL Expression Injection Vulnerability — CVE-2022–22980
We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:
CVE-2022–22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods
This vulnerability was responsible for information about an expression injection vulnerability in Spring Data MongoDB SpEL. The CVSSv3 score of this vulnerability is 8.2, the vulnerability number: is CVE-2022–22980, and the vulnerability threat level: high risk. Spring Data MongoDB applications are vulnerable to SpEL injection attacks when the input is not filtered when value binding to query methods annotated with @Query or @Aggregation for SpEL expressions that contain query parameter placeholders.
The vulnerability affects Spring Data MongoDB applications using repository query methods annotated with @Query or @Aggregation and parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method.
These are the necessary conditions for the specific vulnerability:
- Spring Data MongoDB 3.4.0
- Spring Data MongoDB 3.3.0–3.3.4
- Older, unsupported versions are also affected
Declaration of repository query methods annotated with @Query or @Aggregation that make use of SpEL (Spring Expression Language) and use input parameter references (?0, ?1, …) within the SpEL expression
- Spring-data-mongodb dependency
The issue relates to the repository query method invocation to assemble the MongoDB query using expressions. The vulnerability occurs during query assembly and does not require the query to be executed for exploitation.
Referencing SpEL arguments through the array syntax (, , […]) does not create a vulnerability and is a recommended workaround if you cannot upgrade to a version that contains the fix
The vulnerability can only be exploited if an application invokes the query method with non-sanitized user input. Alternatively, arrangements that expose repository query methods without involving additional application code (such as Spring Data REST) are vulnerable as well.
The preferred response is to update to Spring Data MongoDB 3.4.1 and 3.3.5 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is impossible to do quickly. For that reason, we have provided some workarounds below.
Please note that workarounds are not necessarily mutually exclusive since security is best done “in-depth”.
Using Array Syntax
If your application requires dynamic SpEL expressions that are controlled by user input, then referencing SpEL arguments using the array syntax  is a safe way to access SpEL arguments.
Implementing a custom repository method
Replacing the SpEL expression with a custom repository method implementation is a viable workaround to assemble your dynamic query within the application code. Refer to the reference documentation on repository customization for further details.
- Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.
- Rewrite the query or aggregation declarations to use parameter references (“” instead of “?0“) within the expression
- Sanitize parameters before calling the query method.
- Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider
- Filter parameters before calling the query method.
- Reconfigure repository factory bean via BeanPostProcessor with restricted QueryMethodEvaluationContextProvider.
Originally published at https://tutorialboy24.blogspot.com