CVE-2022-46166

HIGH LAB

Spring Boot Admin <2.7.8 - Info Disclosure

Title source: llm

Description

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

Exploits (1)

nomisec WORKING POC 1 stars

by shoucheng3 · poc

https://github.com/shoucheng3/codecentric__spring-boot-admin_CVE-2022-46166_2-6-9

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75

[Mitigation, Third Party Advisory] https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6

Scores

CVSS v3 8.0

EPSS 0.2698

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull library/consul

docker pull springcloud/eureka

docker pull springcloud/configserver

docker pull springcloud/customers

docker pull springcloud/stores

+4 more images

https://github.com/shoucheng3/codecentric__spring-boot-admin_CVE-2022-46166_2-6-9

View in Library

Details

CWE

CWE-94

Status published

Products (3)

codecentric/spring_boot_admin 3.0.0 m1 (5 CPE variants)

codecentric/spring_boot_admin < 2.6.10

de.codecentric/spring-boot-admin 0 - 2.6.10Maven

Published Dec 09, 2022

Tracked Since Feb 18, 2026