Описание
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.
Ссылки
- PatchThird Party Advisory
- MitigationThird Party Advisory
- PatchThird Party Advisory
- MitigationThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.6.10 (исключая)Версия от 2.7.0 (включая) до 2.7.8 (исключая)
Одно из
cpe:2.3:a:codecentric:spring_boot_admin:*:*:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:*:*:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m1:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m2:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m3:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m4:*:*:*:*:*:*
cpe:2.3:a:codecentric:spring_boot_admin:3.0.0:m5:*:*:*:*:*:*
EPSS
Процентиль: 96%
0.23368
Средний
8 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-94
Связанные уязвимости
CVSS3: 8
github
около 3 лет назад
Spring Boot Admins integrated notifier support allows arbitrary code execution
EPSS
Процентиль: 96%
0.23368
Средний
8 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-94