===================================================================== CERT-Renater Note d'Information No. 2022/VULN457 _____________________________________________________________________ DATE : 13/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Boot Admins versions prior to 2.6.10, 2.7.8, 3.0.0-M6. ===================================================================== https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6 _____________________________________________________________________ Spring Boot Admins integrated notifier support allows arbitrary code execution High SteKoe published GHSA-w3x5-427h-wfq6 Package de.codecentric.boot.admin.server.notify (Spring Boot Admin Server - Notifier) Affected versions < 2.6.10 < 2.7.8 < 3.0.0-M6 Patched versions 2.6.10 2.7.8 3.0.0-M6 Description Impact All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected. Patches In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection). Workarounds Disable any notifier Disable write access (POST request) on /env actuator endpoint Severity High 8.0/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction Required Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE ID CVE-2022-46166 Weaknesses CWE-94 Credits @Tim-Conrad Tim-Conrad ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================