CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46131 – Grails® data binding causes JVM crash and/or DoS
https://notcve.org/view.php?id=CVE-2023-46131
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0. Grails es un framework utilizado para crear aplicaciones web con el lenguaje de programación Groovy. • https://github.com/grails/grails-core/commit/74326bdd2cf7dcb594092165e9464520f8366c60 https://github.com/grails/grails-core/commit/c401faaa6c24c021c758b95f72304a0e855a8db3 https://github.com/grails/grails-core/issues/13302 https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5 https://grails.org/blog/2023-12-20-cve-data-binding-dos.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12728
https://notcve.org/view.php?id=CVE-2019-12728
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP. Grails anterior de la versión 3.3.10 usaba cleartext HTTP para resolver el servicio de notificación SDKMan. NOTA: las aplicaciones de los usuarios no resolvían las posesiones a través de HTTP de texto simple. • https://github.com/grails/grails-core/issues/11250 https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability • CWE-494: Download of Code Without Integrity Check •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2016-6521
https://notcve.org/view.php?id=CVE-2016-6521
Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors. Vulnerabilidad de CSRF en la consola de Grails (también conocida como Grails Debug Console y Grails Web Console) 2.0.7, 1.5.10 y versiones anteriores permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que ejecuten código Groovy arbitrario a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2016/08/02/11 http://www.openwall.com/lists/oss-security/2016/08/02/2 http://www.openwall.com/lists/oss-security/2016/08/03/9 http://www.securityfocus.com/bid/92267 https://github.com/sheehan/grails-console/issues/54 https://github.com/sheehan/grails-console/issues/55 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 1CVE-2012-1833
https://notcve.org/view.php?id=CVE-2012-1833
VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, does not properly restrict data binding, which might allow remote attackers to bypass intended access restrictions and modify arbitrary object properties via a crafted request parameter to an application. VMware SpringSource Grails antes de v1.3.8, y v2.x antes de v2.0.2, no restringe correctamente el enlace a los datos, lo que podría permitir a atacantes remotos eludir las restricciones de acceso y modificar las propiedades de objetos de su elección a través de un parámetro modificado en una petición a la aplicación. • http://secunia.com/advisories/51113 http://support.springsource.com/security/cve-2012-1833 http://www.securityfocus.com/bid/55763 • CWE-264: Permissions, Privileges, and Access Controls •