CVE-2022-46166

Source
https://cve.org/CVERecord?id=CVE-2022-46166
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46166.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-46166
Aliases
Published
2022-12-09T20:11:11.646Z
Modified
2026-07-15T02:07:05.117136463Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Spring Boot Admins integrated notifier support allows arbitrary code execution
Details

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46166.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/codecentric/spring-boot-admin

Affected ranges

Type
GIT
Repo
https://github.com/codecentric/spring-boot-admin
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:codecentric:spring_boot_admin:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m1:*:*:*:*:*:*",
        "cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m2:*:*:*:*:*:*",
        "cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m3:*:*:*:*:*:*",
        "cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m4:*:*:*:*:*:*",
        "cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m5:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.10"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.8"
        },
        {
            "introduced": "3.0.0-m1"
        },
        {
            "last_affected": "3.0.0-m1"
        },
        {
            "introduced": "3.0.0-m2"
        },
        {
            "last_affected": "3.0.0-m2"
        },
        {
            "introduced": "3.0.0-m3"
        },
        {
            "last_affected": "3.0.0-m3"
        },
        {
            "introduced": "3.0.0-m4"
        },
        {
            "last_affected": "3.0.0-m4"
        },
        {
            "introduced": "3.0.0-m5"
        },
        {
            "last_affected": "3.0.0-m5"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.3
1.0.4
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
2.*
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.4.0
2.4.1
2.4.2
2.4.3
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
3.*
3.0.0-M1
3.0.0-M2
3.0.0-M3
3.0.0-M4
3.0.0-M5
3.0.0-m1
3.0.0-m2
3.0.0-m3
3.0.0-m4
3.0.0-m5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46166.json"