CVE-2022-45855: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

July 12, 2023 (updated July 20, 2023)

SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

References

github.com/advisories/GHSA-p7w2-784m-qpq9
lists.apache.org/thread/302c4hwfjy9lx63jrbhcdx948pxc54l1
nvd.nist.gov/vuln/detail/CVE-2022-45855

Detect and mitigate CVE-2022-45855 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →