search

EliyaC / SecurityShepherd

Web and mobile application security training platform
https://owasp.org/www-project-security-shepherd/
GNU General Public License v3.0
0 stars 0 forks source link

spring-data-mongodb-2.1.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 9.8) #56

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://www.spring.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Found in HEAD commit: 5c01ae865aebd03d0a0c124ffd6db00a299c5c8a

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-data-mongodb version) Remediation Possible**
CVE-2022-22980 Critical 9.8 spring-data-mongodb-2.1.1.RELEASE.jar Direct 3.2.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22980 ### Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://www.spring.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Dependency Hierarchy: - :x: **spring-data-mongodb-2.1.1.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: 5c01ae865aebd03d0a0c124ffd6db00a299c5c8a

Found in base branch: dev

### Vulnerability Details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Publish Date: 2022-06-22

URL: CVE-2022-22980

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22980

Release Date: 2022-06-22

Fix Resolution: 3.2.12

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.