Skip to content

Spring Boot Admins integrated notifier support allows arbitrary code execution

High
SteKoe published GHSA-w3x5-427h-wfq6 Dec 9, 2022

Package

de.codecentric.boot.admin.server.notify (Spring Boot Admin Server - Notifier)

Affected versions

< 2.6.10
< 2.7.8, 2.7.11
< 3.0.0-M6

Patched versions

2.6.10
2.7.8, 2.7.9, 2.7.10, > 2.7.12
3.0.0-M6

Description

Impact

All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.

Patches

In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection).

Workarounds

  • Disable any notifier
  • Disable write access (POST request) on /env actuator endpoint

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2022-46166

Weaknesses

Credits