io.github.dem07:maintenance-mode (=1.0.0), io.github.gpc:asynchronous-mail (>=3.1.0 <=3.1.2) +33 more potentially affected by CVE-2023-46131 via org.grails:grails-databinding (>=5.0.0 <=5.3.3)

org.grails:grails-databinding MAVEN version =5.0.0, =3.1.0, =1.1.0, =4.0.0, =5.0.0.RC2, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.3.3 and more Source cves: CVE-2023-46131 Source advisory: OSV:GHSA-3PJV-R7W4-2CF5...

io.github.matrei:grails-inertia-plugin (=2.0.0), org.grails.plugins:gsp (>=6.0.1 <=6.0.3) +22 more potentially affected by CVE-2023-46131 via org.grails:grails-databinding (=6.0.0)

org.grails:grails-databinding MAVEN version =6.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.grails:grails-databinding and may be impacted: - io.github.matrei:grails-inertia-plugin =2.0.0 - org.grails.plugins:gsp =6.0.1, =6.0.3 -...

io.springfox.grails:springfox-grails (=1.0.0), org.grails:gorm-cassandra-spring-boot (=5.0.0.RC1) +54 more potentially affected by CVE-2023-46131 via org.grails:grails-databinding (>=2.3.0 <=3.2.9)

org.grails:grails-databinding MAVEN version =2.3.0, =3.0.0, =6.0.0.M2, =2.0.0.M2, =2.0.0.M2, =5.0.0.RC1 - org.grails:grails-datastore-gorm-hibernate5 =5.0.0.RC1 - org.grails:grails-datastore-gorm-mongodb =5.0.0.RC1 - org.grails:grails-datastore-gorm-neo4j =5.0.0.RC1 -...

io.github.gpc:cascade-validation (=4.0.0), io.github.gpc:grails-cascade-validation (=4.0.0) +19 more potentially affected by CVE-2023-46131 via org.grails:grails-databinding (>=4.0.10 <=4.1.2)

org.grails:grails-databinding MAVEN version =4.0.10, =4.0.0-1, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.1.2 and more Source cves: CVE-2023-46131 Source advisory: OSV:GHSA-3PJV-R7W4-2CF5...

io.github.gpc:cascade-validation (=4.0.0), io.github.gpc:grails-cascade-validation (=4.0.0) +19 more potentially affected by CVE-2022-35912 via org.grails:grails-databinding (>=4.0.10 <=4.1.0)

org.grails:grails-databinding MAVEN version =4.0.10, =4.0.0-1, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.0.10, =4.1.0 and more Source cves: CVE-2022-35912 Source advisory: OSV:GHSA-6RH6-X8WW-9H97...

org.grails:grails-plugin-codecs (=5.2.0), org.grails:grails-plugin-controllers (=5.2.0) +14 more potentially affected by CVE-2022-35912 via org.grails:grails-databinding (=5.2.0)

org.grails:grails-databinding MAVEN version =5.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.grails:grails-databinding and may be impacted: - org.grails:grails-plugin-codecs =5.2.0 - org.grails:grails-plugin-controllers =5.2.0 -...

io.github.gpc:asynchronous-mail (>=3.1.0 <=3.1.1), io.github.longwa:build-test-data (=5.0.0) +23 more potentially affected by CVE-2022-35912 via org.grails:grails-databinding (>=5.0.0 <=5.1.8)

org.grails:grails-databinding MAVEN version =5.0.0, =3.1.0, =4.0.0, =5.0.0.RC2, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.1.10 and more Source cves: CVE-2022-35912 Source advisory: OSV:GHSA-6RH6-X8WW-9H97...

Remote Code Execution (RCE)

org.grails, grails-databinding is vulnerable to remote code execution. The vulnerability exists in the isOkToBind function of SimpleDataBinder.groovy, allowing an attacker to execute code by gaining access to the class loader...

CVE-2022-35912

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 at least when certain Java 8 configurations are used, data binding allows a remote attacker to execute code by gaining access to the class loader...

CVE-2022-35912

CVE-2022-35912 is a Grails data-binding remote code execution vulnerability. In grails-databinding, versions prior to 3.3.15, 4.x prior to 4.1.1, 5.x prior to 5.1.9, and 5.2.x prior to 5.2.1 can allow a remote attacker to execute code by gaining access to the class loader when certain Java 8 conf...