CVE-2022-46166 Spring Boot Admins integrated notifier support allows arbitrary code execution

2022-12-0920:11:11

CWE-94

GitHub_M

www.cve.org

cve-2022-46166

spring boot admins

integrated notifier

arbitrary code execution

open source

administrative user interface

management

affected users

upgrade

environment variables

disable notifier

disable write access

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.7%

JSON

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.

CNA Affected

[
  {
    "vendor": "codecentric",
    "product": "spring-boot-admin",
    "versions": [
      {
        "version": "< 2.6.10",
        "status": "affected"
      }
    ]
  }
]