Vulnerability Description
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nepxion | Discovery | <= 6.16.2 |
Related Weaknesses (CWE)
References
- https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/ExploitThird Party Advisory
- https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/ExploitThird Party Advisory
FAQ
What is CVE-2022-23463?
CVE-2022-23463 is a vulnerability with a CVSS score of 9.4 (CRITICAL). Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvalu...
How severe is CVE-2022-23463?
CVE-2022-23463 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-23463?
Check the references section above for vendor advisories and patch information. Affected products include: Nepxion Discovery.