GHSA-w3x5-427h-wfq6

Suggest an improvement
Source
https://github.com/advisories/GHSA-w3x5-427h-wfq6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-w3x5-427h-wfq6/GHSA-w3x5-427h-wfq6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-w3x5-427h-wfq6
Aliases
Published
2022-12-09T20:19:32Z
Modified
2023-11-01T05:00:26.007304Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Spring Boot Admins integrated notifier support allows arbitrary code execution
Details

Impact

All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.

Patches

In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection).

Workarounds

  • Disable any notifier
  • Disable write access (POST request) on /env actuator endpoint
Database specific
{
    "nvd_published_at": "2022-12-09T21:15:00Z",
    "github_reviewed_at": "2022-12-09T20:19:32Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Maven / de.codecentric:spring-boot-admin

Package

Name
de.codecentric:spring-boot-admin
View open source insights on deps.dev
Purl
pkg:maven/de.codecentric/spring-boot-admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.10

Affected versions

1.*

1.0.2
1.0.3
1.0.4
1.0.5
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.3.1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9

Maven / de.codecentric:spring-boot-admin

Package

Name
de.codecentric:spring-boot-admin
View open source insights on deps.dev
Purl
pkg:maven/de.codecentric/spring-boot-admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.8

Affected versions

2.*

2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7

Maven / de.codecentric:spring-boot-admin

Package

Name
de.codecentric:spring-boot-admin
View open source insights on deps.dev
Purl
pkg:maven/de.codecentric/spring-boot-admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0-M1
Fixed
3.0.0-M6

Affected versions

3.*

3.0.0-M1
3.0.0-M2
3.0.0-M3
3.0.0-M4
3.0.0-M5