Headline
CVE-2022-35912
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Package
maven grails-databinding (Maven)
Affected versions
3.x, <=4.1.0, <=5.1.9, <=5.2.1
Patched versions
5.2.1, 5.1.9, 4.1.1, 3.3.15
Description
Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html
For more information
If you have any questions or comments about this advisory:
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
- #12626
- Email us at [email protected]
Credit
This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab
Related news
Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable
### Impact A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR. ### Patches Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912 https://grails.org/blog/2022-07-18-rce-vulnerability.html ### For more information If you have any questions or comments about this advisory: * https://grails.org/blog/2022-07-18-rce-vulnerability.html * https://github.com/grails/grails-core/issues/12626 * Email us at [[email protected]](mailto:[email protected]) ### Credit This vulnerability was discovered by [meizjm3i](https://github.com/meizjm3i) and [codeplutos](https://github.com/codeplutos) of AntGroup FG Security Lab