CVE-2022-35912
Remote Code Execution vulnerability in grails-databinding (Maven)
What is CVE-2022-35912 About?
A Remote Code Execution (RCE) vulnerability exists in the Grails data-binding logic, allowing attackers to execute arbitrary code. This exploit requires the application to be running on Java 8, deployed either as a WAR or an executable JAR. Exploitation is complex and requires specific environmental conditions.
Affected Software
- org.grails:grails-databinding
- >5.0.0, <5.1.9
- >5.2.0, <5.2.1
- >4.0.0, <4.1.1
- >3.3.10, <3.3.15
Technical Details
A Remote Code Execution vulnerability has been identified in the Grails framework's data-binding logic. This flaw allows an attacker to execute arbitrary code on the server. The exploitation of this vulnerability is dependent on the application running on Java 8, regardless of whether it's deployed as a WAR file within a servlet container or as a standalone executable JAR. The data-binding mechanism, which automatically maps incoming request parameters to Java objects, can be abused to manipulate internal object properties or invoke methods that ultimately lead to code execution, typically by leveraging gadget chains or specific library configurations available in the Java 8 runtime environment.
What is the Impact of CVE-2022-35912?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to complete system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2022-35912?
Exploitation requires remote access to a Grails application. The complexity is high, as it depends on crafting specific data-binding payloads that trigger code execution against a Java 8 runtime environment. No authentication is required if the vulnerable data-binding path is accessible to unauthenticated requests. However, specific knowledge of the application's data models and potential gadget chains might be needed. No special privileges are required on the operating system, as the code executes within the context of the Grails application. The critical prerequisites are the application being built with a vulnerable Grails version and running on Java 8, which significantly narrows the attack surface but increases the potential impact if these conditions are met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-35912?
About the Fix from Resolved Security
Available Upgrade Options
- org.grails:grails-databinding
- >3.3.10, <3.3.15 → Upgrade to 3.3.15
- org.grails:grails-databinding
- >4.0.0, <4.1.1 → Upgrade to 4.1.1
- org.grails:grails-databinding
- >5.0.0, <5.1.9 → Upgrade to 5.1.9
- org.grails:grails-databinding
- >5.2.0, <5.2.1 → Upgrade to 5.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-6rh6-x8ww-9h97
- https://github.com/grails/grails-core/issues/12626
- https://github.com/grails/grails-core
- https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
- https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97
- http://www.openwall.com/lists/oss-security/2022/07/20/4
- https://github.com/grails/grails-core/issues/12626
- https://grails.org/blog/2022-07-18-rce-vulnerability.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-35912
What are Similar Vulnerabilities to CVE-2022-35912?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2020-8177 , CVE-2019-10023 , CVE-2017-5638
