CVE-2022-46166

high-risk
Published 2022-12-09

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

Do I need to act?

!
27.0% chance of exploitation in next 30 days
EPSS score — higher than 73% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10 High
NETWORK / HIGH complexity

Affected Products (6)

Affected Vendors

Codecentric

References (4)

Patch https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3...
Mitigation https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-4...
Patch https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3...
Mitigation https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-4...
52
/ 100
high-risk
Severity 24/34 · High
Exploitability 15/34 · Moderate
Exposure 13/34 · Low