Cyber Security

Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs

An unpatched remote code execution (RCE) vulnerability in Nepxion Discovery, an open source project that provides functionality for the Spring Cloud framework, has been made public.

Security researchers from GitHub Security Lab (GHSL) disclosed the vulnerability, alongside an additional information disclosure flaw in Nepxion Discovery on September 9.

Nepxion, a China-based vendor, maintains several open source projects related to Spring Cloud.

Despite the Nepxion Discovery GitHub page having over 1,300 forks, the security policy page is disabled and the security advisories tab is empty.

SpEL injection

In a blog post, GHSL researcher Jorge Rosillo said the most severe vulnerability, tracked as GHSL-2022-033 (CVE-2022-23463), is a critical issue in the discovery-commons function that renders the software vulnerable to SpEL Injection.

SpEL Injection attacks occur when there is a lack of protection to stop user input from passing directly to a SpEL expression parser. In this case, two endpoints turn user input into expressions, pass them through, and input is then allowed to interact with Java classes – including java.lang.Runtime – leading to RCE.

Due to the severity, this vulnerability was assigned a CVSS score of 9.8.

The second issue, tracked as GHSL-2022-033 (CVE-2022-23464) and issued a can GitHub score of 4.3 (NIST 7.5), is a server-side request forgery (SSRF) flaw that could result in information leaks.

According to the GHSL, no patch has been made available, and there are no known workarounds for either vulnerability. The issues impact Nepxion Discovery versions 6.16.2 and below.

The cybersecurity researchers privately disclosed their findings to Nepxion on May 22. In June, the team requested a security contact and, with no response forthcoming, a public issue was opened on June 20.

The maintainers closed the public issue on August 9.

By August 21, the standard vulnerability disclosure process deadline had expired, leading to the assignment of CVE-2022-23463 and CVE-2022-23464 and public disclosure.

When approached for comment, GitHub pointed us to the original disclosure.

Nepxion has yet to respond to queries submitted by The Daily Swig, but we will update this article if and when we hear back.

Source: https://portswigger.net/daily-swig/nepxion-discovery-software-with-spring-cloud-functionality-fails-to-patch-rce-info-leak-bugs

Advertisement. Scroll to continue reading.
Click to comment

You May Also Like

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks. By sending a maliciously...

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Cyber Security

Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version