CVE-2022-35912
published 2022-07-19CVE-2022-35912: In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.75%
75.0th percentile
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grails | grails | — | — |
| grails | grails | >= 3.3.10 < 3.3.15 | 3.3.15 |
| grails | grails | >= 4.0.0 < 4.1.1 | 4.1.1 |
| grails | grails | >= 5.0.0 < 5.1.9 | 5.1.9 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grails framework Remote Code Execution via Data Binding
osv·2022-07-21·CVSS 9.8
CVE-2022-35912 [CRITICAL] Grails framework Remote Code Execution via Data Binding
Grails framework Remote Code Execution via Data Binding
### Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
### Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
### References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html
### For more information
If you have any questions or comments about this advisory:
* https://grails.org/blog/2022-07-18-rce-vulnerability.html
* https://github.com/grails/grails-core/issues/12626
* Email us at [[email protected]](mailto:[email protected])
###
GHSA
Grails framework Remote Code Execution via Data Binding
ghsa·2022-07-21·CVSS 9.8
CVE-2022-35912 [CRITICAL] Grails framework Remote Code Execution via Data Binding
Grails framework Remote Code Execution via Data Binding
### Impact
A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR.
### Patches
Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15
### References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912
https://grails.org/blog/2022-07-18-rce-vulnerability.html
### For more information
If you have any questions or comments about this advisory:
* https://grails.org/blog/2022-07-18-rce-vulnerability.html
* https://github.com/grails/grails-core/issues/12626
* Email us at [[email protected]](mailto:[email protected])
###
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/07/20/4https://github.com/grails/grails-core/issues/12626https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97https://grails.org/blog/2022-07-18-rce-vulnerability.htmlhttp://www.openwall.com/lists/oss-security/2022/07/20/4https://github.com/grails/grails-core/issues/12626https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97https://grails.org/blog/2022-07-18-rce-vulnerability.html
2022-07-19
Published