CVE-2022-23463

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-23463

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23463.json

Aliases

GHSA-q979-9m39-23mq

Published

2022-09-24T05:15:08Z

Modified

2023-11-29T09:27:02.819407Z

Details

Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.

References

https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/

Affected packages

Git / github.com/nepxion/discovery

Affected ranges

Type: GIT
Repo: https://github.com/nepxion/discovery
Events: Introduced

0The exact introduced commit is unknown

Last affected

151eb35ba90052e9d13b35e980477a3e1bef4042

Affected versions

4.*

4.8.1

4.8.2

4.8.3

4.8.5

4.8.6

4.8.7

5.*

5.0.8

5.1.0

5.1.2

5.2.0

5.2.1

5.2.3

5.2.7

5.3.0

5.3.3

5.3.9

5.4.0

5.4.2

5.5.0

5.5.3

6.*

6.0.1

6.0.2

6.0.5

6.0.6

6.0.7

6.10.0

6.11.0

6.12.0

6.12.1

6.13.1

6.14.0

6.15.0

6.16.1

6.16.2

6.2.0

6.3.1

6.3.2

6.3.3

6.5.0

6.6.0

6.7.0

6.8.0

6.9.0