Spring Data MongoDB hit by another critical SpEL injection flaw


UPDATED Spring Data MongoDB, which offers object-document support and repositories for MongoDB, has been patched to fix a severe SpEL injection vulnerability that when exploited can result in remote code execution (RCE).

The vulnerability (CVE-2022-22980), with a near-maximum CVSS score of 9.8, “would allow an attacker to run arbitrary code with privileges inherited by the Spring MongoDB process,” Sam Quinn, senior security researcher at Trellix Threat Labs, told The Daily Swig. Read More…