oss-sec mailing list archives
Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912
From: "Myers, Christopher" <Christopher.Myers () sdbor edu>
Date: Wed, 20 Jul 2022 19:58:07 +0000
I haven't seen this posted yet, so I'm just passing along. The Grails team has confirmed a critical security vulnerability reported by meizjm3i and codeplutos of AntGroup FG Security Lab. This vulnerability has been assigned identifier CVE-2022-35912<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912>. The vulnerability allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader. This attack exploits a section of the Grails data-binding logic. Grails data-binding is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData. For a full description, please refer to the data-binding documentation<https://docs.grails.org/latest/guide/theWebLayer.html#dataBinding>. Blog post: https://grails.org/blog/2022-07-18-rce-vulnerability.html Github thread: https://github.com/grails/grails-core/issues/12626
Current thread:
- Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912 Myers, Christopher (Jul 20)