Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Data MongoDB SpEL Injection [CVE-2022-22980] #19157

Closed
jheysel-r7 opened this issue May 2, 2024 · 1 comment
Closed

Spring Data MongoDB SpEL Injection [CVE-2022-22980] #19157

jheysel-r7 opened this issue May 2, 2024 · 1 comment
Labels
suggestion-module New module suggestions

Comments

@jheysel-r7
Copy link
Contributor

Summary

This module will exploit a SpEL injection vulnerability in Spring Data MongoDB

Basic example

https://github.com/kuron3k0/Spring-Data-Mongodb-Example
@jheysel-r7 jheysel-r7 added the suggestion-module New module suggestions label May 2, 2024
@jheysel-r7 jheysel-r7 moved this to In Progress in Metasploit Kanban May 2, 2024
@jheysel-r7
Copy link
Contributor Author

jheysel-r7 commented May 2, 2024
edited
Loading

I jumped the gun on creating this issue. The successful exploitation of this vulnerability requires knowledge of a specific vulnerable endpoint. In the PoC's test application the endpoint /v1/user is configured to be vulnerable however in real world applications the user would first have to find a vulnerable endpoint via whitebox analysis or some prior knowledge, making this a non-ideal candidate for a metasploit module.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suggestion-module New module suggestions
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jheysel-r7