GHSA-6rh6-x8ww-9h97: Grails framework Remote Code Execution via Data Binding

Package

maven org.grails:grails-databinding (Maven)

Affected versions

>= 3.3.10, < 3.3.15

>= 4.0.0, < 4.1.1

>= 5.0.0, < 5.1.9

= 5.2.0

Patched versions

3.3.15

4.1.1

5.1.9

5.2.1

Description

Impact

A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.

Patches

Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html

For more information

If you have any questions or comments about this advisory:

• https://grails.org/blog/2022-07-18-rce-vulnerability.html
• grails/grails-core#12626
• Email us at [email protected]

Credit

This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab

References

• GHSA-6rh6-x8ww-9h97
• https://nvd.nist.gov/vuln/detail/CVE-2022-35912
• grails/grails-core#12626
• https://grails.org/blog/2022-07-18-rce-vulnerability.html

JasonTypesCodes published the maintainer security advisory

Jul 18, 2022