What is the severity of CVE-2022-46166?

CVE-2022-46166 is considered a significant vulnerability affecting Spring Boot Admin Server with specific configurations.

How do I fix CVE-2022-46166?

To fix CVE-2022-46166, users should upgrade to a version of Spring Boot Admin that is not affected, specifically above 2.6.10 or 2.7.8, or the later milestone versions for 3.0.0.

Which versions are affected by CVE-2022-46166?

CVE-2022-46166 affects Spring Boot Admin versions up to 2.6.10, versions between 2.7.0 and 2.7.8, and milestones 1 through 5 of 3.0.0.

Who is affected by CVE-2022-46166?

All users running Spring Boot Admin Server with enabled Notifiers and write access to environment variables via the UI are affected by CVE-2022-46166.

What is the impact of CVE-2022-46166?

CVE-2022-46166 can potentially allow unauthorized changes to environment variables, leading to configuration manipulation of Spring Boot applications.

Vulnerability/
CVE-2022-46166

critical

9.8

CWE

9/12/2022

23/4/2025

CVE-2022-46166: Spring Boot Admins integrated notifier support allows arbitrary code execution

First published: Fri Dec 09 2022(Updated: )

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Spring Boot Admin	<2.6.10
Spring Boot Admin	>=2.7.0<2.7.8
Spring Boot Admin	=3.0.0-m1
Spring Boot Admin	=3.0.0-m2
Spring Boot Admin	=3.0.0-m3
Spring Boot Admin	=3.0.0-m4
Spring Boot Admin	=3.0.0-m5

Remedy

https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-46166?
CVE-2022-46166 is considered a significant vulnerability affecting Spring Boot Admin Server with specific configurations.
How do I fix CVE-2022-46166?
To fix CVE-2022-46166, users should upgrade to a version of Spring Boot Admin that is not affected, specifically above 2.6.10 or 2.7.8, or the later milestone versions for 3.0.0.
Which versions are affected by CVE-2022-46166?
CVE-2022-46166 affects Spring Boot Admin versions up to 2.6.10, versions between 2.7.0 and 2.7.8, and milestones 1 through 5 of 3.0.0.
Who is affected by CVE-2022-46166?
All users running Spring Boot Admin Server with enabled Notifiers and write access to environment variables via the UI are affected by CVE-2022-46166.
What is the impact of CVE-2022-46166?
CVE-2022-46166 can potentially allow unauthorized changes to environment variables, leading to configuration manipulation of Spring Boot applications.

agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/title
agent/severity
agent/remedy
agent/weakness
agent/first-publish-date
agent/description
agent/last-modified-date
agent/author
agent/softwarecombine
agent/event
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/codecentric
canonical/spring boot admin
version/spring boot admin/2.7.0
version/spring boot admin/3.0.0-m1
version/spring boot admin/3.0.0-m2
version/spring boot admin/3.0.0-m3
version/spring boot admin/3.0.0-m4
version/spring boot admin/3.0.0-m5