Headline
GHSA-6rh6-x8ww-9h97: Grails framework Remote Code Execution via Data Binding
Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912 https://grails.org/blog/2022-07-18-rce-vulnerability.html
For more information
If you have any questions or comments about this advisory:
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
- https://github.com/grails/grails-core/issues/12626
- Email us at [email protected]
Credit
This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab
Package
maven org.grails:grails-databinding (Maven)
Affected versions
>= 3.3.10, < 3.3.15
>= 4.0.0, < 4.1.1
>= 5.0.0, < 5.1.9
= 5.2.0
Patched versions
3.3.15
4.1.1
5.1.9
5.2.1
Description
Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html
For more information
If you have any questions or comments about this advisory:
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
- grails/grails-core#12626
- Email us at [email protected]
Credit
This vulnerability was discovered by meizjm3i and codeplutos of AntGroup FG Security Lab
References
- GHSA-6rh6-x8ww-9h97
- https://nvd.nist.gov/vuln/detail/CVE-2022-35912
- grails/grails-core#12626
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
JasonTypesCodes published the maintainer security advisory
Jul 18, 2022
Related news
Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.