Search
Find a vulnerability
Search criteria
6 vulnerabilities found for grails by grails
CVE-2023-46131 (GCVE-0-2023-46131)
Vulnerability from nvd – Published: 2023-12-20 23:24 – Updated: 2024-08-02 20:37
VLAI
Title
Grails® data binding causes JVM crash and/or DoS
Summary
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
Severity
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/grails/grails-core/security/ad… | x_refsource_CONFIRM |
| https://github.com/grails/grails-core/issues/13302 | x_refsource_MISC |
| https://github.com/grails/grails-core/commit/7432… | x_refsource_MISC |
| https://github.com/grails/grails-core/commit/c401… | x_refsource_MISC |
| https://grails.org/blog/2023-12-20-cve-data-bindi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| grails | grails-core |
Affected:
>= 6.0.0, < 6.1.0
Affected: >= 5.0.0, < 5.3.4 Affected: >= 4.0.0, < 4.1.3 Affected: >= 2.0.0, < 3.3.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grails-core",
"vendor": "grails",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T23:24:27.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"source": {
"advisory": "GHSA-3pjv-r7w4-2cf5",
"discovery": "UNKNOWN"
},
"title": "Grails\u00ae data binding causes JVM crash and/or DoS "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46131",
"datePublished": "2023-12-20T23:24:27.227Z",
"dateReserved": "2023-10-16T17:51:35.573Z",
"dateUpdated": "2024-08-02T20:37:39.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35912 (GCVE-0-2022-35912)
Vulnerability from nvd – Published: 2022-07-19 15:56 – Updated: 2024-08-03 09:44
VLAI
Summary
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/grails/grails-core/security/ad… | x_refsource_CONFIRM |
| https://grails.org/blog/2022-07-18-rce-vulnerabil… | x_refsource_CONFIRM |
| https://github.com/grails/grails-core/issues/12626 | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2022/07/20/4 | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:22.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T23:06:09.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"name": "https://grails.org/blog/2022-07-18-rce-vulnerability.html",
"refsource": "CONFIRM",
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"name": "https://github.com/grails/grails-core/issues/12626",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35912",
"datePublished": "2022-07-19T15:56:59.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:44:22.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12728 (GCVE-0-2019-12728)
Vulnerability from nvd – Published: 2019-06-04 12:41 – Updated: 2024-08-04 23:32
VLAI
Summary
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.
Severity
8.1 (High)
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://objectcomputing.com/news/2019/05/30/possi… | x_refsource_MISC |
| https://github.com/grails/grails-core/issues/11250 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T12:41:49.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12728",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability",
"refsource": "MISC",
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"name": "https://github.com/grails/grails-core/issues/11250",
"refsource": "MISC",
"url": "https://github.com/grails/grails-core/issues/11250"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12728",
"datePublished": "2019-06-04T12:41:49.000Z",
"dateReserved": "2019-06-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T23:32:53.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46131 (GCVE-0-2023-46131)
Vulnerability from cvelistv5 – Published: 2023-12-20 23:24 – Updated: 2024-08-02 20:37
VLAI
Title
Grails® data binding causes JVM crash and/or DoS
Summary
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
Severity
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/grails/grails-core/security/ad… | x_refsource_CONFIRM |
| https://github.com/grails/grails-core/issues/13302 | x_refsource_MISC |
| https://github.com/grails/grails-core/commit/7432… | x_refsource_MISC |
| https://github.com/grails/grails-core/commit/c401… | x_refsource_MISC |
| https://grails.org/blog/2023-12-20-cve-data-bindi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| grails | grails-core |
Affected:
>= 6.0.0, < 6.1.0
Affected: >= 5.0.0, < 5.3.4 Affected: >= 4.0.0, < 4.1.3 Affected: >= 2.0.0, < 3.3.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grails-core",
"vendor": "grails",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T23:24:27.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5"
},
{
"name": "https://github.com/grails/grails-core/issues/13302",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/13302"
},
{
"name": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60"
},
{
"name": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3"
},
{
"name": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://grails.org/blog/2023-12-20-cve-data-binding-dos.html"
}
],
"source": {
"advisory": "GHSA-3pjv-r7w4-2cf5",
"discovery": "UNKNOWN"
},
"title": "Grails\u00ae data binding causes JVM crash and/or DoS "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46131",
"datePublished": "2023-12-20T23:24:27.227Z",
"dateReserved": "2023-10-16T17:51:35.573Z",
"dateUpdated": "2024-08-02T20:37:39.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35912 (GCVE-0-2022-35912)
Vulnerability from cvelistv5 – Published: 2022-07-19 15:56 – Updated: 2024-08-03 09:44
VLAI
Summary
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/grails/grails-core/security/ad… | x_refsource_CONFIRM |
| https://grails.org/blog/2022-07-18-rce-vulnerabil… | x_refsource_CONFIRM |
| https://github.com/grails/grails-core/issues/12626 | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2022/07/20/4 | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:22.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T23:06:09.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97"
},
{
"name": "https://grails.org/blog/2022-07-18-rce-vulnerability.html",
"refsource": "CONFIRM",
"url": "https://grails.org/blog/2022-07-18-rce-vulnerability.html"
},
{
"name": "https://github.com/grails/grails-core/issues/12626",
"refsource": "CONFIRM",
"url": "https://github.com/grails/grails-core/issues/12626"
},
{
"name": "[oss-security] 20220720 Grails Framework Remote Code Execution Vulnerability, CVE-2022-35912",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35912",
"datePublished": "2022-07-19T15:56:59.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:44:22.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12728 (GCVE-0-2019-12728)
Vulnerability from cvelistv5 – Published: 2019-06-04 12:41 – Updated: 2024-08-04 23:32
VLAI
Summary
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.
Severity
8.1 (High)
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://objectcomputing.com/news/2019/05/30/possi… | x_refsource_MISC |
| https://github.com/grails/grails-core/issues/11250 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-04T12:41:49.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grails/grails-core/issues/11250"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12728",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users\u0027 apps were not resolving dependencies over cleartext HTTP."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability",
"refsource": "MISC",
"url": "https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability"
},
{
"name": "https://github.com/grails/grails-core/issues/11250",
"refsource": "MISC",
"url": "https://github.com/grails/grails-core/issues/11250"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12728",
"datePublished": "2019-06-04T12:41:49.000Z",
"dateReserved": "2019-06-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T23:32:53.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}