CVE-2022-42009: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

July 12, 2023 (updated July 20, 2023)

SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

References

lists.apache.org/thread/6xf477ttz1oxmg0bx0tpdoz2mlqd7sbc
nvd.nist.gov/vuln/detail/CVE-2022-42009

Code Behaviors & Features

Detect and mitigate CVE-2022-42009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →