Lucene search

[email protected]CVE-2022-35912

HistoryJul 19, 2022 - 4:15 p.m.

CVE-2022-35912

2022-07-1916:15:08

[email protected]

web.nvd.nist.gov

cve-2022-35912

grails-databinding

remote code execution

vulnerability

nvd

security advisory

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.1%

JSON

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.

Affected configurations

NVD

Node

grailsgrailsRange3.3.10–3.3.15

grailsgrailsRange4.0.0–4.1.1

grailsgrailsRange5.0.0–5.1.9

grailsgrailsMatch5.2.0

CPENameOperatorVersion
grails:grailsgrailslt3.3.15
grails:grailsgrailslt4.1.1
grails:grailsgrailslt5.1.9
grails:grailsgrailseq5.2.0

CPE	Name	Operator	Version
grails:grails	grails	lt	3.3.15
grails:grails	grails	lt	4.1.1
grails:grails	grails	lt	5.1.9
grails:grails	grails	eq	5.2.0

References

www.openwall.com/lists/oss-security/2022/07/20/4

github.com/grails/grails-core/issues/12626

github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97

grails.org/blog/2022-07-18-rce-vulnerability.html

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.1%

JSON

Related for CVE-2022-35912

prion1 github1 osv2 veracode1 cvelist1 nvd1