CVE-2022-46166

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-46166

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-46166.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-46166

Aliases

GHSA-w3x5-427h-wfq6

Published

2022-12-09T20:11:11.646Z

Modified

2025-11-28T05:03:30.660945Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Spring Boot Admins integrated notifier support allows arbitrary code execution

Details

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46166.json",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Git / github.com/codecentric/spring-boot-admin

Affected ranges

Type: GIT
Repo: https://github.com/codecentric/spring-boot-admin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c14c3ec12533f71f84de9ce3ce5ceb7991975f75

Affected versions

1.*

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.4.3

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/DiscordNotifier.java",
            "function": "createContent"
        },
        "digest": {
            "length": 351.0,
            "function_hash": "308819669522947609203791811641036381300"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-24a62a2a",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/TelegramNotifier.java",
            "function": "getText"
        },
        "digest": {
            "length": 351.0,
            "function_hash": "308819669522947609203791811641036381300"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-31c99838",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/PagerdutyNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "113177862416706009166097392957798407586",
                "152357677944050967704136184002961983019",
                "135427083141300318227874324573792209879",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "282573321356607274691190639372445543476",
                "338474047336855878866407847162486990408",
                "317386459750949948068751270329082957868",
                "97915803070264335517110359686196899567",
                "89466473095721953420176937629359025858",
                "182634012755774078279366792370967333769",
                "338661334753483300561013600404131587511",
                "245700946003036779319893581327859737144",
                "317092920690102744694323087269402288088",
                "4024918317956047352457445629321231056",
                "92733474112047520920785030301399266959",
                "76400526046957677099784902455372361163",
                "302845296643993992693353941106289457147",
                "2631306045668766680951793630404666679",
                "285863535242711461837602420437837746845",
                "110675233897810182217457674198210374809",
                "318448440562624572888819321212063841269",
                "285177140246719643931461788368615970175",
                "289851273294245121126923747107601095782",
                "83011004374716388355607531860494283409",
                "189092505117030748109011706430768915004",
                "147826922990921742465330027291332954144",
                "143806395272743268610365934377412997700",
                "339977984634663184885889111127195197491",
                "250899807084983329255779653147924462093",
                "307714341932742835496865968200006324197",
                "11159974448147798902169047805492140105",
                "113380072659652454193105309987679187012",
                "298282208180182117129495755254204231892",
                "49615785164873147739172182216684979131",
                "254473448494862831883244600313386991045",
                "57879356766487015362144456556764805505",
                "228766091137771025622128472755371420735"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-591f6f6f",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/DingTalkNotifier.java",
            "function": "getSign"
        },
        "digest": {
            "length": 413.0,
            "function_hash": "20383476587499844220949291579719435812"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-68a27468",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/LetsChatNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "40107329407501049308142564969102763372",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "180551139743684852225163228678418768211",
                "241086638103750156345186658332343077459",
                "166347799896617175040263881997693952084",
                "317084474625992420997374688516394709103",
                "106577642008800988361910006232228379072",
                "232464411829972563223117885009861623635",
                "26042325133682264338051596112864147010",
                "132883690162309416430217459815155513774",
                "171335579932137243275285093075149950361",
                "241256323053989278212744477779729390915",
                "67223076934178803764911428215239388137",
                "67520305341368372773743871215866338027",
                "320625563785872352236125416613821632490",
                "38943875317364396905772935637262597167",
                "75102234397544840958227190715073943065",
                "83976989942341881216399224761378127290",
                "249960760985509585908790223697539519847",
                "96519210530292814414892515266385512372",
                "309624623050468732902764647524006853881",
                "178361125306050387086649380512094021490",
                "184388341662729102274723835837555273458",
                "72962679501125072710863724581304432650",
                "224937930916840813948395552614108390200",
                "264814659052983235627008431822528914975",
                "311639074714425521097720515899301125554",
                "184996196259682029285376509178098610207",
                "202760779154523677716193929133665958230",
                "6941214693644157201827955235607442804",
                "236081881671109019299737170275733827280",
                "12465296634239621551649435846978109972",
                "235975810329297032696983639237752650085",
                "157327099422261803656669037657929297014",
                "197042098419981679955659120679178548169"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-6d7ce87c",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/OpsGenieNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "40107329407501049308142564969102763372",
                "56896345093144684750464027380355067878",
                "222509255811235397972722894358607132889",
                "248290990790768282213514756706828841588",
                "259457752946793241626977051193256563771",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "282573321356607274691190639372445543476",
                "338474047336855878866407847162486990408",
                "261380982846420242137693737264769725545",
                "131660662051880251435019671836071946637",
                "268460226379677823068676255622045100646",
                "330707120308541113129156500965522209569",
                "127365061763574595749902823903348454558",
                "14280076379637866133404239624206882066",
                "265825327415201813462531359460979442726",
                "325707293034918858232673684031280176738",
                "74338295491051192432101837525277577743",
                "65613906419391338439193063280166726320",
                "11159974448147798902169047805492140105"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-6f67d9b2",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/DingTalkNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "38649913103332370084548346085648175642",
                "222670739401579687828964743819753453282",
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "186075743987639514672424738396671417597",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "180551139743684852225163228678418768211",
                "241086638103750156345186658332343077459",
                "299065695222471481771477398773770894486",
                "207642207282661170848849279894410410522",
                "296945945704355200492091479493564117818",
                "259346514293464912005407963121726502195",
                "121728052303636394245891961382415991530",
                "20832329948746763152904796256379344588"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-77760d3e",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/DiscordNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "186075743987639514672424738396671417597",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "180551139743684852225163228678418768211",
                "241086638103750156345186658332343077459",
                "179545170204682727226575058907162142556"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-7e125fb9",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/SlackNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "186075743987639514672424738396671417597",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "180551139743684852225163228678418768211",
                "241086638103750156345186658332343077459",
                "96027535826397693409394933620853896941"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-82570a62",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/LetsChatNotifier.java",
            "function": "getText"
        },
        "digest": {
            "length": 351.0,
            "function_hash": "308819669522947609203791811641036381300"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-94ba367f",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/SlackNotifier.java",
            "function": "getText"
        },
        "digest": {
            "length": 351.0,
            "function_hash": "308819669522947609203791811641036381300"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-9624efe6",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/TelegramNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "113177862416706009166097392957798407586",
                "152357677944050967704136184002961983019",
                "135427083141300318227874324573792209879",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "180551139743684852225163228678418768211",
                "241086638103750156345186658332343077459",
                "166347799896617175040263881997693952084"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-9b362454",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/OpsGenieNotifier.java",
            "function": "buildUrl"
        },
        "digest": {
            "length": 295.0,
            "function_hash": "117312002945553229259213700159027023074"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-a6fefb6b",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/PagerdutyNotifier.java",
            "function": "getDescription"
        },
        "digest": {
            "length": 355.0,
            "function_hash": "265273178789241359652000680391589208240"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-aaa46556",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/HipchatNotifier.java",
            "function": "getMessage"
        },
        "digest": {
            "length": 355.0,
            "function_hash": "265273178789241359652000680391589208240"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-b43145a6",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/HipchatNotifier.java",
            "function": "buildUrl"
        },
        "digest": {
            "length": 208.0,
            "function_hash": "186665334861092997689140860561572656773"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-c772d9fe",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/MicrosoftTeamsNotifier.java",
            "function": "createEvaluationContext"
        },
        "digest": {
            "length": 312.0,
            "function_hash": "340189551773180711665767591810210938650"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-d61b9d97",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/DingTalkNotifier.java",
            "function": "getText"
        },
        "digest": {
            "length": 351.0,
            "function_hash": "308819669522947609203791811641036381300"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-eae5d6d5",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/HipchatNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "186075743987639514672424738396671417597",
                "263541499444713296614583447077782725462",
                "311712836664834465717721327370119545757",
                "257511378455686760848952651905946112660",
                "90218647444775809916964176546107968342",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "282573321356607274691190639372445543476",
                "338474047336855878866407847162486990408",
                "232486889654218813907236739187821581745",
                "80333860806805572337214932930324846940",
                "140721968073776108559043272183639301399",
                "232464411829972563223117885009861623635",
                "26042325133682264338051596112864147010",
                "132883690162309416430217459815155513774",
                "171335579932137243275285093075149950361",
                "241256323053989278212744477779729390915",
                "102040264993619121373750370443951335256",
                "301577240470658566362877566057124753281",
                "22133504044128115062893906554732418648",
                "171460583409673933527365130821220252360",
                "101497807016343322615135967409405572258",
                "298633217085417895773126392459371751252",
                "256585184637218265156352227112257778167",
                "62778676412959844806871106062758551463",
                "179718265501761920393486593618199613996",
                "274876661464998086921099649827273069561",
                "280506993026484095494645805483769796383",
                "199103157211312690436394013280734709663",
                "253248905787450387041167178024925360152",
                "19277107333477438236891026546449065191",
                "19424663816841617329310575112826091299",
                "139795206016344241352012902553670449646",
                "61413137810448156148072334354081689554",
                "237987438781254323146604771433427353692",
                "11159974448147798902169047805492140105",
                "113380072659652454193105309987679187012",
                "298282208180182117129495755254204231892",
                "49615785164873147739172182216684979131",
                "254473448494862831883244600313386991045",
                "57879356766487015362144456556764805505",
                "228766091137771025622128472755371420735"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-f1cbfdd1",
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/OpsGenieNotifier.java",
            "function": "getMessage"
        },
        "digest": {
            "length": 355.0,
            "function_hash": "265273178789241359652000680391589208240"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-f493961f",
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
        "target": {
            "file": "spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/notify/MicrosoftTeamsNotifier.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "235562518287803370592947255977632271511",
                "321322853221665511759251965049421221927",
                "83765979343852704064711559461065128355",
                "197944716560128699905929720705874596040",
                "168029984051602924942843223065845287974",
                "60010671208771061554513417377281802334",
                "232859185809812045158775949159649920710",
                "186075743987639514672424738396671417597",
                "44749826090222867738241685738872012652",
                "276273699712860165234360654874160559044",
                "80847958411017572616585210224793884777",
                "78886786026596931296798499851949114461",
                "121021008434033902129756575018912131966",
                "43857536439786415644441483770332804139",
                "331432849216236590537531310851133330300",
                "128593712793741697189753194513015904223",
                "12897505721054826945533703325653960168",
                "321036012911342935629647554595359304313",
                "106103760981747772970736759356156181645",
                "7706586760212741540960285826443965064",
                "294958052474881199620993936073021883915",
                "52102862042072997883066234100935451003",
                "278150981712566399540490805468554864183",
                "32155703880082579903550990684866779914",
                "284974782204408827192030681740996485381",
                "5312966681335712975209648409705019602",
                "292691067500503545461135860091597904309",
                "48438451863070164626804831858932462673",
                "198847547228801470366623418049390877151",
                "215768186994171874767677667564357718000",
                "301856967102632027262089439020570481518",
                "100014440523788656457771501985536096796",
                "143855981072858638742649497297346318275",
                "304957312594902254402289931399527963864",
                "338849199397556094847416328281985800135",
                "317564239916859409192601520273827252778",
                "338643897419915378293146123011042004316",
                "199266406252772102835882516243958054573",
                "312340902303747084038756700705899195716",
                "224611784647327860064545308910946648673",
                "99362035129660395056474764849709039223",
                "77243543439991348249478732965513036048",
                "246259111522679820922680836824843907980"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2022-46166-ff40478a",
        "signature_type": "Line"
    }
]