GHSA-3pjv-r7w4-2cf5

Source

https://github.com/advisories/GHSA-3pjv-r7w4-2cf5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-3pjv-r7w4-2cf5/GHSA-3pjv-r7w4-2cf5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3pjv-r7w4-2cf5

Aliases

CVE-2023-46131

Published

2023-12-20T21:12:09Z

Modified

2024-02-16T08:07:43.515495Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Grails data binding causes JVM crash and/or other denial of service

Details

Impact

A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable.

Patches

Patches are available for Grails 3 and later.

Workarounds

No workaround is possible except to avoid data binding to request data.

References

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "nvd_published_at": "2023-12-21T00:15:25Z",
    "github_reviewed_at": "2023-12-20T21:12:09Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.0

Affected versions

6.*

6.0.0

org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.3.4

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.3.0

5.3.1

5.3.2

5.3.3

org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.3

Affected versions

4.*

4.0.0

4.0.1

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.1.0.M3

4.1.0.M4

4.1.0

4.1.1

4.1.2

org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

3.3.17

Affected versions

2.*

2.3.0.M1

2.3.0.M2

2.3.0.RC1

2.3.0.RC2

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.4.0.M1

2.4.0.M2

2.4.0.RC1

2.4.0.RC2

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

3.*

3.0.0.M1

3.0.0.M2

3.0.0.RC2

3.0.0.RC3

3.0.0

3.0.1

3.0.3

3.0.4

3.0.5

3.0.6

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.15

3.1.16

3.2.0.M1

3.2.0.M2

3.2.0.RC1

3.2.0.RC2

3.2.0

3.2.1

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

3.3.0.M1

3.3.0.M2

3.3.0.RC1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.10

3.3.13

3.3.14

3.3.15

3.3.16