CVE-2022-35912

Description

### Impact A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR. ### Patches Grails framework versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35912 https://grails.org/blog/2022-07-18-rce-vulnerability.html ### For more information If you have any questions or comments about this advisory: * https://grails.org/blog/2022-07-18-rce-vulnerability.html * https://github.com/grails/grails-core/issues/12626 * Email us at [info@grails.org](mailto:info@grails.org) ### Credit This vulnerability was discovered by [meizjm3i](https://github.com/meizjm3i) and [codeplutos](https://github.com/codeplutos) of AntGroup FG Security Lab

How to fix CVE-2022-35912

To remediate CVE-2022-35912, upgrade the affected package to a fixed version below.

• —upgrade to 3.3.15 or later

Is CVE-2022-35912 being exploited?

Low — EPSS is 4.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.3.10, < 3.3.15

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-35912
• PATCHgithub.com/grails/grails-core
• WEBgithub.com/grails/grails-core/issues/12626
• WEBgithub.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97
• WEB