|
Message-ID: <DM5PR14MB14659176D1373740E82972C2E18E9@DM5PR14MB1465.namprd14.prod.outlook.com> Date: Wed, 20 Jul 2022 19:58:07 +0000 From: "Myers, Christopher" <Christopher.Myers@...or.edu> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912 I haven't seen this posted yet, so I'm just passing along. The Grails team has confirmed a critical security vulnerability reported by meizjm3i and codeplutos of AntGroup FG Security Lab. This vulnerability has been assigned identifier CVE-2022-35912<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912>. The vulnerability allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader. This attack exploits a section of the Grails data-binding logic. Grails data-binding is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData. For a full description, please refer to the data-binding documentation<https://docs.grails.org/latest/guide/theWebLayer.html#dataBinding>. Blog post: https://grails.org/blog/2022-07-18-rce-vulnerability.html Github thread: https://github.com/grails/grails-core/issues/12626
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.