Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912

["Myers, Christopher" <Christopher.Myers () sdbor edu>]

I haven't seen this posted yet, so I'm just passing along.



The Grails team has confirmed a critical security vulnerability reported by meizjm3i and codeplutos of AntGroup FG 
Security Lab. This vulnerability has been assigned identifier 
CVE-2022-35912<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912>.


The vulnerability allows an attacker to remotely execute code within a Grails application runtime by issuing a 
specially crafted web request that grants the attacker access to the class loader. This attack exploits a section of 
the Grails data-binding logic. Grails data-binding is invoked in a number of ways including the creation of command 
objects, domain class construction, and manual data binding when using bindData. For a full description, please refer 
to the data-binding documentation<https://docs.grails.org/latest/guide/theWebLayer.html#dataBinding>.

Blog post: https://grails.org/blog/2022-07-18-rce-vulnerability.html

Github thread: https://github.com/grails/grails-core/issues/12626