Critical Security Vulnerability in Grails Could Lead to Remote Code Execution


Maintainers warn to patch all versions of open source web application framework – even those not considered vulnerable

Researchers from AntGroup FG Security Lab have discovered a critical security vulnerability that allows an attacker to remotely execute code in the runtime environment of a Grails application.

Grails is an open source web application framework based on the Apache Groovy programming language and is used to develop agile web applications. Clients include Google, IBM, Walmart, Credit Suisse and Mastercard.

The flaw, tracked using CVE-2022-35912, allows an attacker to remotely execute code within the runtime environment of a Grails application by issuing a specially crafted web request that grants the attacking class loader access.

Learn about the latest web security vulnerabilities news

The attack exploits a section of Grails data binding logic, which is invoked in several ways, including creating command objects, constructing domain classes, and manual data binding when using bindData .

The vulnerability has been confirmed on Grails framework versions 3.3.10 and higher, including Grails 4 and 5 frameworks, which run on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a web archive (WAR) for an instance of Tomcat.

“Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those not vulnerable to this specific attack, be updated to a patched version of Grails,” the Grails team noted. in a blog post.

“Although we have not been able to reproduce this specific exploit on applications running Java 11 or versions of the Grails framework prior to 3.3.10, the nature of the vulnerability is such that variations of the attack could be discovered in earlier versions of Grails, and Grails applications running on higher versions of Java will be impacted.

Fixes available

Versions 5.2.1, 5.1.9, 4.1.1 and 3.3.15 have now been fixed and the team recommends upgrading to a fixed version. Grails 4.x applications can be upgraded to 4.1.1 or higher, Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgrades to version 5.2.1 or higher.

“The Grails Foundation and the core Grails development team take application security very seriously,” the team wrote. “We continue to research and monitor this vulnerability.”

YOU MIGHT ALSO LIKE Cisco fixes a trio of dangerous bugs in the Nexus Dashboard


Comments are closed.