Lucene search

[email protected]NVD:CVE-2023-46131

HistoryDec 21, 2023 - 12:15 a.m.

CVE-2023-46131

2023-12-2100:15:25

CWE-400

[email protected]

web.nvd.nist.gov

grails framework

web application

groovy

jvm crash

denial of service

data binding

vulnerability

patched

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

25.1%

JSON

Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.

Affected configurations

Nvd

Node

grailsgrailsRange<3.3.17

grailsgrailsRange4.0.0–4.1.3

grailsgrailsRange5.0.0–5.3.4

grailsgrailsRange6.0.0–6.1.0

VendorProductVersionCPE
grailsgrails*cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
grails	grails	*	cpe:2.3:a:grails:grails::::::::

References

github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60

github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3

github.com/grails/grails-core/issues/13302

github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5

grails.org/blog/2023-12-20-cve-data-binding-dos.html

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

25.1%

JSON

Related for NVD:CVE-2023-46131

hp1 cve1 prion1 osv2 cvelist1 github1 veracode1