GHSA-6rh6-x8ww-9h97

Source

https://github.com/advisories/GHSA-6rh6-x8ww-9h97

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6rh6-x8ww-9h97/GHSA-6rh6-x8ww-9h97.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6rh6-x8ww-9h97

Aliases

CVE-2022-35912

Published

2022-07-21T21:38:28Z

Modified

2024-11-28T05:41:46.744847Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Grails framework Remote Code Execution via Data Binding

Details

Impact

A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.

Patches

Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912 https://grails.org/blog/2022-07-18-rce-vulnerability.html

For more information

If you have any questions or comments about this advisory: * https://grails.org/blog/2022-07-18-rce-vulnerability.html * https://github.com/grails/grails-core/issues/12626 * Email us at info@grails.org

Credit

This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab

Database specific

{
    "nvd_published_at": "2022-07-19T16:15:00Z",
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T21:38:28Z"
}

References

Affected packages

Maven / org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.10

Fixed

3.3.15

Affected versions

3.*

3.3.10

3.3.13

3.3.14

Maven / org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.1

Affected versions

4.*

4.0.0

4.0.1

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.1.0.M3

4.1.0.M4

4.1.0

Maven / org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.1.9

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

Maven / org.grails:grails-databinding

Package

Name: org.grails:grails-databinding; View open source insights on deps.dev
Purl: pkg:maven/org.grails/grails-databinding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.1

Affected versions

5.*

5.2.0