Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for spring-boot-admin by codecentric
CVE-2022-46166 (GCVE-0-2022-46166)
Vulnerability from nvd – Published: 2022-12-09 20:11 – Updated: 2025-04-23 16:29
VLAI
Title
Spring Boot Admins integrated notifier support allows arbitrary code execution
Summary
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/codecentric/spring-boot-admin/… | x_refsource_CONFIRM |
| https://github.com/codecentric/spring-boot-admin/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codecentric | spring-boot-admin |
Affected:
< 2.6.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6"
},
{
"name": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:45:59.993854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:29:18.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spring-boot-admin",
"vendor": "codecentric",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T20:11:11.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6"
},
{
"name": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75"
}
],
"source": {
"advisory": "GHSA-w3x5-427h-wfq6",
"discovery": "UNKNOWN"
},
"title": "Spring Boot Admins integrated notifier support allows arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46166",
"datePublished": "2022-12-09T20:11:11.646Z",
"dateReserved": "2022-11-28T17:27:19.998Z",
"dateUpdated": "2025-04-23T16:29:18.720Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46166 (GCVE-0-2022-46166)
Vulnerability from cvelistv5 – Published: 2022-12-09 20:11 – Updated: 2025-04-23 16:29
VLAI
Title
Spring Boot Admins integrated notifier support allows arbitrary code execution
Summary
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/codecentric/spring-boot-admin/… | x_refsource_CONFIRM |
| https://github.com/codecentric/spring-boot-admin/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codecentric | spring-boot-admin |
Affected:
< 2.6.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6"
},
{
"name": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:45:59.993854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:29:18.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spring-boot-admin",
"vendor": "codecentric",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T20:11:11.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6"
},
{
"name": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75"
}
],
"source": {
"advisory": "GHSA-w3x5-427h-wfq6",
"discovery": "UNKNOWN"
},
"title": "Spring Boot Admins integrated notifier support allows arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46166",
"datePublished": "2022-12-09T20:11:11.646Z",
"dateReserved": "2022-11-28T17:27:19.998Z",
"dateUpdated": "2025-04-23T16:29:18.720Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}