CVE-2022-22980 PoC — Spring Data MongoDB 安全漏洞

Source

https://github.com/trganda/CVE-2022-22980

Associated Vulnerability

Title:Spring Data MongoDB 安全漏洞 (CVE-2022-22980)
Description:A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Description

Poc of CVE-2022-22980

Readme

# CVE-2022-22980

A local based poc of CVE-2022-22980, for the detail of this vulnerability see https://tanzu.vmware.com/security/cve-2022-22980.

> You need to install [mongodb](https://www.mongodb.com/try/download) on locahost before running.
> 
> And I've create a web based poc with docker on [dockerv](https://github.com/trganda/dockerv/tree/master/vuln/spring/spring-data-mongodb/CVE-2022-22980)

Run

```bash
mvn spring-boot:run
```

or open with IDEA, and launch the `AccessingDataMongodbApplication`

![](screenshot.jpg)

File Snapshot


 [4.0K]  /data/pocs/479e09cea4d6fc36fe7819bc034f3cd02aea2144
├── [1.0K]  LICENSE
├── [9.7K]  mvnw
├── [6.2K]  mvnw.cmd
├── [1.2K]  pom.xml
├── [ 531]  README.md
├── [ 58K]  screenshot.jpg
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  example
                    └── [4.0K]  accessingdatamongodb
                        ├── [1.5K]  AccessingDataMongodbApplication.java
                        ├── [ 487]  Customer.java
                        └── [ 454]  CustomerRepository.java

6 directories, 9 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!