CVE-2022-46166: Spring Boot Admin arbitrary code execution

A security researcher has discovered a high-risk vulnerability in the Spring Boot Admin, which is a remote code execution flaw that could allow remote attackers to execute arbitrary code against Spring Boot applications.

Spring Boot helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss. Spring boot admins is an open-source administrative user interface for the management of spring boot applications.  The applications register with our Spring Boot Admin Client (via HTTP) or are discovered using Spring Cloud (e.g. Eureka, Consul). The UI is just a Vue.js application on top of the Spring Boot Actuator endpoints.

In an advisory released recently by the codecentric, the company detailed the CVE-2022-46166 discovered in the Spring Boot Admins prior version < 2.6.10,  prior version < 2.7.8, and < prior version 3.0.0-M6.

“All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.”

This vulnerability doesn’t work if you are not using Notifiers or disabled write access (POST request) on /ent actuator endpoint

Codecentric has released Spring Boot Admins 2.6.10, 2.7.8, and 3.0.0-M6, which include fixes for this security bug. Spring Boot Admin 2.6.10 and 2.7.8 fixed CVE-2022-46166 by implementing SimpleExecutionContext of SpEL. This prevents arbitrary code execution (i.e. SpEL injection).

So developers and administrators are highly recommended to upgrade their software to the latest versions immediately.