Headline
CVE-2022-46166: Spring Boot Admins integrated notifier support allows arbitrary code execution
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.
Package
de.codecentric.boot.admin.server.notify (Spring Boot Admin Server - Notifier)
Affected versions
< 2.6.10
< 2.7.8
< 3.0.0-M6
Patched versions
2.6.10
2.7.8
3.0.0-M6
Description
Impact
All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.
Patches
In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection).
Workarounds
- Disable any notifier
- Disable write access (POST request) on /env actuator endpoint
Related news
### Impact All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected. ### Patches In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing `SimpleExecutionContext` of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection). ### Workarounds * Disable any notifier * Disable write access (POST request) on `/env` actuator endpoint