9.8

CVE-2022-46166

Spring Boot Admins integrated notifier support allows arbitrary code execution

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CodecentricSpring Boot Admin Version < 2.6.10
CodecentricSpring Boot Admin Version >= 2.7.0 < 2.7.8
CodecentricSpring Boot Admin Version3.0.0 Updatem1
CodecentricSpring Boot Admin Version3.0.0 Updatem2
CodecentricSpring Boot Admin Version3.0.0 Updatem3
CodecentricSpring Boot Admin Version3.0.0 Updatem4
CodecentricSpring Boot Admin Version3.0.0 Updatem5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.44% 0.697
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 8 1.3 6
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75
Patch
Third Party Advisory
https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6
Third Party Advisory
Mitigation