Spring Boot Admins integrated notifier support allows arbitrary code execution
CVE-2022-46166
8.1HIGH
Key Information:
- Vendor
Codecentric
- Status
- Vendor
- CVE Published:
- 9 December 2022
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2022-46166?
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.
Affected Version(s)
spring-boot-admin < 2.6.10
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
