A vulnerability classified as problematic has been found in Grails up to 3.3.16/4.1.2/5.3.3/6.0.x. Affected is an unknown code of the component Web Request Handler. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. CVE summarizes:

Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.

The weakness was released 12/21/2023 as 13302. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2023-46131 since 10/16/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1499.

Upgrading to version 3.3.17, 4.1.3, 5.3.4 or 6.1.0 eliminates this vulnerability. Applying the patch 74326bdd2cf7dcb594092165e9464520f8366c60 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Name

• Grails

Version

• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4
• 3.3.5
• 3.3.6
• 3.3.7
• 3.3.8
• 3.3.9
• 3.3.10
• 3.3.11
• 3.3.12
• 3.3.13
• 3.3.14
• 3.3.15
• 3.3.16
• 4.1.0
• 4.1.1
• 4.1.2
• 5.3.0
• 5.3.1
• 5.3.2
• 5.3.3
• 6.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion