Grails framework Remote Code Execution via Data Binding
Critical severity
GitHub Reviewed
Published
Jul 18, 2022
in
grails/grails-core
•
Updated Jan 27, 2023
Package
Affected versions
>= 3.3.10, < 3.3.15
>= 4.0.0, < 4.1.1
>= 5.0.0, < 5.1.9
= 5.2.0
Patched versions
3.3.15
4.1.1
5.1.9
5.2.1
Description
Published by the National Vulnerability Database
Jul 19, 2022
Published to the GitHub Advisory Database
Jul 21, 2022
Reviewed
Jul 21, 2022
Last updated
Jan 27, 2023
Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html
For more information
If you have any questions or comments about this advisory:
Credit
This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab
References