CVE-2022-46166

HIGH

Spring Boot Admin <2.7.8 - Info Disclosure

Title source: llm

Description

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

Exploits (1)

nomisec WORKING POC 1 stars

by shoucheng3 · poc

https://github.com/shoucheng3/codecentric__spring-boot-admin_CVE-2022-46166_2-6-9

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75

[Mitigation, Third Party Advisory] https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6

Scores

CVSS v3 8.0

EPSS 0.2698

EPSS Percentile 96.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-94

Status published

Affected Products (7)

codecentric/spring_boot_admin < 2.6.10

codecentric/spring_boot_admin

codecentric/spring_boot_admin

codecentric/spring_boot_admin

codecentric/spring_boot_admin

codecentric/spring_boot_admin

de.codecentric/spring-boot-admin < 2.6.10Maven

Timeline

Published Dec 09, 2022

Tracked Since Feb 18, 2026