CVE-2022-46166
HIGH8.0EPSS 27.0%Spring Boot Admins integrated notifier support allows arbitrary code execution
發布日:2022/12/9修改日:2023/11/8
描述
### Impact All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected. ### Patches In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing `SimpleExecutionContext` of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection). ### Workarounds * Disable any notifier * Disable write access (POST request) on `/env` actuator endpoint
受影響套件(1)
- Maven/de.codecentric:spring-boot-adminfrom 0, < 2.6.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |