Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2022-46166 PoC — Spring Boot Admins integrated notifier support allows arbitrary code execution

Source
https://github.com/DickDock/CVE-2022-46166
Associated Vulnerability
Title:Spring Boot Admins integrated notifier support allows arbitrary code execution (CVE-2022-46166)
Description:Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.
Description
CVE-2022-46166 靶场环境
Readme
# CVE-2022-46166 靶场环境

## 漏洞描述

> Spring Boot Admin是一个用于管理Spring Boot应用程序的开源管理用户界面,用于监控Spring
> Boot单机或集群项目,它提供详细的健康信息、内存信息、JVM系统和环境属性、垃圾回收信息、日志设置和查看、定时任务查看、Spring
> Boot缓存查看和管理等功能。
>
> 当Spring Boot Admin管理的application中启用了notifier ,并且存在弱口令或者未授权时,攻击者可利用相关接口设置相关配置,触发SpEL表达式,执行任意命令。

## 影响范围

- 2.6.0 ≤ Spring Boot Admin < 2.6.10

- 2.7.0 ≤ Spring Boot Admin < 2.7.8
- 3.0.0 ≤ Spring Boot Admin < 3.0.0-M6

## 安全版本

- 2.6.10
- 2.7.8
- 3.0.0-M6

## 靶场环境依赖如下

| 依赖                               | 版本       |
|----------------------------------|----------|
| spring-boot-admin-starter-server | 3.0.0-M5 |
| spring-boot-admin-starter-client | 3.0.0-M5 |
| spring-cloud-dependencies        | 2022.0.1 |
File Snapshot

 [4.0K]  /data/pocs/64a1662baab0cfa269343219d91513641f8fdcab
├── [ 10K]  mvnw
├── [2.4K]  pom.xml
├── [1.0K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  com
    │   │       └── [4.0K]  test
    │   │           └── [4.0K]  server
    │   │               └── [ 405]  ServerApplication.java
    │   └── [4.0K]  resources
    │       └── [ 554]  application.yaml
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  test
                    └── [4.0K]  server
                        └── [ 216]  ServerApplicationTests.java

12 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →