CVE-2022-23463 — Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution

Description

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.

How to fix CVE-2022-23463

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-23463 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 6.16.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23463
ADVISORYsecuritylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery
PATCHgithub.com/Nepxion/Discovery