Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.
Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Description: CWE-943: Improper Neutralization of Special Elements in Data Query Logic
Metrics
Version
Base score
Base severity
Vector
3.1
5.9
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Version:3.1
Base score:5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC ID
Description
N/A
An attacker who can supply a crafted string to a @Query regex binding can break out of literal quoting, potentially exposing unauthorized data or bypassing intended query filters.
CAPEC ID: N/A
Description: An attacker who can supply a crafted string to a @Query regex binding can break out of literal quoting, potentially exposing unauthorized data or bypassing intended query filters.