Description

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

Remediation

References

https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75

https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6

Related Vulnerabilities

CVE-2024-1597 Vulnerability in maven package org.postgresql:postgresql

CVE-2022-24773 Vulnerability in npm package node-forge

CVE-2022-24196 Vulnerability in maven package com.itextpdf:itext7-core

CVE-2020-15999 Vulnerability in npm package electron

CVE-2023-46233 Vulnerability in maven package org.webjars.bower:crypto-js

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Mitigation NVD-CWE-noinfo