Cyber Resilience

CVE-2022-46166

HighRCE

Published: 09 December 2022

Published
09 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1271 94.2th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46166 is a high-severity Code Injection (CWE-94) vulnerability in Codecentric Spring Boot Admin. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-46166 is a code injection vulnerability (CWE-94) affecting Spring Boot Admin Server when Notifiers such as the Teams-Notifier are enabled and the application permits write access to environment variables through the administrative UI. The flaw resides in the open-source administrative interface used to manage Spring Boot applications and carries a CVSS 3.1 score of 8.0.

An attacker with low-privileged access to the UI can supply malicious environment variables that are later processed by an enabled notifier, resulting in remote code execution with impacts to confidentiality, integrity, and availability. Exploitation requires the attacker to reach the /env actuator endpoint over the network and to induce a user interaction or specific configuration state.

Public advisories and patches direct administrators to upgrade to Spring Boot Admin 2.6.10 or 2.7.8; as a workaround, organizations can disable all notifiers or block POST requests to the /env endpoint.

The EPSS score rose from a low baseline to a peak of 0.3704, indicating that exploitation interest emerged after disclosure before receding to the current value of 0.1271.

EU & UK References

Vulnerability details

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users…

more

are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

codecentric
spring boot admin
3.0.0 · ≤ 2.6.10 · 2.7.0 — 2.7.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References