CVE-2022-46166
Published: 09 December 2022
Summary
CVE-2022-46166 is a high-severity Code Injection (CWE-94) vulnerability in Codecentric Spring Boot Admin. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-46166 is a code injection vulnerability (CWE-94) affecting Spring Boot Admin Server when Notifiers such as the Teams-Notifier are enabled and the application permits write access to environment variables through the administrative UI. The flaw resides in the open-source administrative interface used to manage Spring Boot applications and carries a CVSS 3.1 score of 8.0.
An attacker with low-privileged access to the UI can supply malicious environment variables that are later processed by an enabled notifier, resulting in remote code execution with impacts to confidentiality, integrity, and availability. Exploitation requires the attacker to reach the /env actuator endpoint over the network and to induce a user interaction or specific configuration state.
Public advisories and patches direct administrators to upgrade to Spring Boot Admin 2.6.10 or 2.7.8; as a workaround, organizations can disable all notifiers or block POST requests to the /env endpoint.
The EPSS score rose from a low baseline to a peak of 0.3704, indicating that exploitation interest emerged after disclosure before receding to the current value of 0.1271.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7754
Vulnerability details
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users…
more
are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.