Impact
All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.
Patches
In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext
of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection).
Workarounds
- Disable any notifier
- Disable write access (POST request) on
/env
actuator endpoint