Vulnerabilites related to grails - grails
CVE-2019-12728 (GCVE-0-2019-12728)
Vulnerability from cvelistv5
Published
2019-06-04 12:41
Modified
2024-08-04 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.
References
| ▼ | URL | Tags |
|---|---|---|
| https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability | x_refsource_MISC | |
| https://github.com/grails/grails-core/issues/11250 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T12:41:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12728",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability",
"refsource": "MISC",
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"name": "https://github.com/grails/grails-core/issues/11250",
"refsource": "MISC",
"url": "https://github.com/grails/grails-core/issues/11250"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12728",
"datePublished": "2019-06-04T12:41:49",
"dateReserved": "2019-06-04T00:00:00",
"dateUpdated": "2024-08-04T23:32:53.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35912 (GCVE-0-2022-35912)
Vulnerability from cvelistv5
Published
2022-07-19 15:56
Modified
2024-08-03 09:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97 | x_refsource_CONFIRM | |
| https://grails.org/blog/2022-07-18-rce-vulnerability.html | x_refsource_CONFIRM | |
| https://github.com/grails/grails-core/issues/12626 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2022/07/20/4 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:22.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T23:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"name": "https://grails.org/blog/2022-07-18-rce-vulnerability.html",
"refsource": "CONFIRM",
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"name": "https://github.com/grails/grails-core/issues/12626",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35912",
"datePublished": "2022-07-19T15:56:59",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2024-08-03T09:44:22.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46131 (GCVE-0-2023-46131)
Vulnerability from cvelistv5
Published
2023-12-20 23:24
Modified
2024-08-02 20:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5 | x_refsource_CONFIRM | |
| https://github.com/grails/grails-core/issues/13302 | x_refsource_MISC | |
| https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60 | x_refsource_MISC | |
| https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3 | x_refsource_MISC | |
| https://grails.org/blog/2023-12-20-cve-data-binding-dos.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| grails | grails-core |
Version: >= 6.0.0, < 6.1.0 Version: >= 5.0.0, < 5.3.4 Version: >= 4.0.0, < 4.1.3 Version: >= 2.0.0, < 3.3.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grails-core",
"vendor": "grails",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T23:24:27.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"source": {
"advisory": "GHSA-3pjv-r7w4-2cf5",
"discovery": "UNKNOWN"
},
"title": "Grails\u00ae data binding causes JVM crash and/or DoS "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46131",
"datePublished": "2023-12-20T23:24:27.227Z",
"dateReserved": "2023-10-16T17:51:35.573Z",
"dateUpdated": "2024-08-02T20:37:39.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-06-04 13:29
Modified
2024-11-21 04:23
Severity ?
Summary
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/grails/grails-core/issues/11250 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grails/grails-core/issues/11250 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "918A84B3-E1D0-47CD-B2D6-BB7641DA3105",
"versionEndExcluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
},
{
"lang": "es",
"value": "Grails anterior de la versi\u00f3n 3.3.10 usaba cleartext HTTP para resolver el servicio de notificaci\u00f3n SDKMan. NOTA: las aplicaciones de los usuarios no resolv\u00edan las posesiones a trav\u00e9s de HTTP de texto simple."
}
],
"id": "CVE-2019-12728",
"lastModified": "2024-11-21T04:23:27.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-04T13:29:00.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/issues/11250"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/issues/11250"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-494"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-21 00:15
Modified
2024-11-21 08:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CAD6356E-B39D-4EA5-A9FB-D8140235D2B2",
"versionEndExcluding": "3.3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFF18D31-5B0E-47FD-B30C-4FD4A32FC042",
"versionEndExcluding": "4.1.3",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DED2D306-FEC4-4E15-BEB3-DDC7983539FC",
"versionEndExcluding": "5.3.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2E186C3B-2074-4B0E-92A1-44FEEDD1F73C",
"versionEndExcluding": "6.1.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.\n"
},
{
"lang": "es",
"value": "Grails es un framework utilizado para crear aplicaciones web con el lenguaje de programaci\u00f3n Groovy. Una solicitud web especialmente manipulada puede provocar un fallo de JVM o una denegaci\u00f3n de servicio. Cualquier aplicaci\u00f3n del framework de Grails que utilice el enlace de datos de Grails es vulnerable. Este problema se solucion\u00f3 en las versiones 3.3.17, 4.1.3, 5.3.4, 6.1.0."
}
],
"id": "CVE-2023-46131",
"lastModified": "2024-11-21T08:27:56.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-21T00:15:25.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-19 16:15
Modified
2024-11-21 07:11
Severity ?
Summary
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2022/07/20/4 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/grails/grails-core/issues/12626 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97 | Third Party Advisory | |
| cve@mitre.org | https://grails.org/blog/2022-07-18-rce-vulnerability.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/07/20/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grails/grails-core/issues/12626 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://grails.org/blog/2022-07-18-rce-vulnerability.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B893EB58-EB51-41D4-856E-30163F4D538B",
"versionEndExcluding": "3.3.15",
"versionStartIncluding": "3.3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C24C87F-9FAE-421F-8AE1-5244ED2E1E93",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299BB9A1-8287-4375-ADB7-862A75605377",
"versionEndExcluding": "5.1.9",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grails:grails:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA45FCD-1D03-416A-B496-7058C5138EB0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
},
{
"lang": "es",
"value": "En grails-databinding en Grails versiones anteriores a 3.3.15, 4.x anteriores a 4.1.1, 5.x anteriores a 5.1.9, y 5.2.x anteriores a 5.2.1 (al menos cuando son usadas determinadas configuraciones de Java 8), la vinculaci\u00f3n de datos permite a un atacante remoto ejecutar c\u00f3digo al conseguir acceso al cargador de clases."
}
],
"id": "CVE-2022-35912",
"lastModified": "2024-11-21T07:11:56.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-19T16:15:08.697",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}