CVE-2022-35912

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.grails/grails-databinding

Identifiers

GHSA-6rh6-x8ww-9h97, CVE-2022-35912

Package Slug

maven/org.grails/grails-databinding

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.

Affected Versions

All versions starting from 3.3.10 before 3.3.15, all versions starting from 4.0.0 before 4.1.1, all versions starting from 5.0.0 before 5.1.9, version 5.2.0

Solution

Upgrade to versions 3.3.15, 4.1.1, 5.1.9, 5.2.1 or above.

Last Modified

2022-07-26

source