Spring - Remote Code Execution (CVE-2022-22980)

Spring framework is affected by a Remote Code Execution vulnerability in the Spring Data, affecting the MongoDB applications. The vulnerability affects applications that are using repository query methods that are annotated with @Query or @Aggregation and use parametrized SpEL (Spring Expression Language) statements. A specific exploit requires the usage of non-sanitized input to the repository query method. This may potentially cause remote code execution, allowing a malicious unauthenticated attacker to execute arbitrary code on the server.

The risk exists that a remote unauthenticated attacker can fully compromise the Spring Framework to steal confidential information, install ransomware, or pivot to the internal network.

Upgrade the Spring Framework to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2022-22980

https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injection-vulnerability-cve-2022-22980