VMware Spring Data MongoDB up to 3.3.4/3.4.0 SpEL Expression injection

A vulnerability, which was classified as critical, was found in VMware Spring Data MongoDB up to 3.3.4/3.4.0 (Database Software). Affected is an unknown part of the component SpEL Expression Handler. Upgrading to version 3.3.5 or 3.4.1 eliminates this vulnerability.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

122
019

Field

exploit_price_0day1
vulnerability_cvss3_meta_tempscore1
vulnerability_cvss3_meta_basescore1
vulnerability_cvss3_vuldb_tempscore1
vulnerability_cvss3_vuldb_basescore1

Commit Conf

90%31
50%10

Approve Conf

90%31
80%10
IDCommitedUserFieldChangeRemarksAcceptedReasonC
1264372106/23/2022VulD...price_0day$5k-$25ksee exploit price documentation06/23/2022accepted
90
1264372006/23/2022VulD...cvss3_meta_tempscore5.4see CVSS documentation06/23/2022accepted
90
1264371906/23/2022VulD...cvss3_meta_basescore5.6see CVSS documentation06/23/2022accepted
90
1264371806/23/2022VulD...cvss3_vuldb_tempscore5.4see CVSS documentation06/23/2022accepted
90
1264371706/23/2022VulD...cvss3_vuldb_basescore5.6see CVSS documentation06/23/2022accepted
90
1264371606/23/2022VulD...cvss2_vuldb_tempscore4.4see CVSS documentation06/23/2022accepted
90
1264371506/23/2022VulD...cvss2_vuldb_basescore5.1see CVSS documentation06/23/2022accepted
90
1264371406/23/2022VulD...cvss3_vuldb_eXderived from historical data06/23/2022accepted
80
1264371306/23/2022VulD...cvss2_vuldb_eNDderived from historical data06/23/2022accepted
80
1264371206/23/2022VulD...cvss2_vuldb_rlOFderived from vuldb v3 vector06/23/2022accepted
80
1264371106/23/2022VulD...cvss2_vuldb_rcCderived from vuldb v3 vector06/23/2022accepted
80
1264371006/23/2022VulD...cvss2_vuldb_aiPderived from vuldb v3 vector06/23/2022accepted
80
1264370906/23/2022VulD...cvss2_vuldb_iiPderived from vuldb v3 vector06/23/2022accepted
80
1264370806/23/2022VulD...cvss2_vuldb_ciPderived from vuldb v3 vector06/23/2022accepted
80
1264370706/23/2022VulD...cvss2_vuldb_auNderived from vuldb v3 vector06/23/2022accepted
80
1264370606/23/2022VulD...cvss2_vuldb_acHderived from vuldb v3 vector06/23/2022accepted
80
1264370506/23/2022VulD...cvss2_vuldb_avNderived from vuldb v3 vector06/23/2022accepted
80
1264370406/23/2022VulD...typeDatabase Software06/23/2022accepted
90
1264370306/23/2022VulD...date1655935200 (06/23/2022)06/23/2022accepted
90
1264370206/23/2022VulD...cve_nvd_summaryA Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.cve.org06/23/2022accepted
90

21 more entries are not shown

Want to stay up to date on a daily basis?

Enable the mail alert feature now!