Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Spring Boot Admins integrated notifier support allows arbitrary code execution
Vulnerability Description
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
spring-boot-admin 代码注入漏洞
Vulnerability Description
spring-boot-admin是一个开源的基于Spring boot+Mybatis的后台管理系统,具备用户管理,菜单管理和角色管理3个功能,权限控制到按钮层级。 spring-boot-admin 2.6.10 之前版本和 2.7.8之前版本存在代码注入漏洞,该漏洞源于所有运行 Spring Boot Admin Server、启用通知程序(例如 Teams-Notifier)并通过 UI 写入环境变量的用户都可能受到代码注入影响。
CVSS Information
N/A
Vulnerability Type
N/A