[de.codecentric:spring-boot-admin] Spring Boot Admins integrated notifier support allows arbitrary code execution

Impact

All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are possibly affected.

Patches

In the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 the issue is fixed by implementing SimpleExecutionContext of SpEL. This prevents the arbitrary code execution (i.e. SpEL injection).

Workarounds

• Disable any notifier
• Disable write access (POST request) on /env actuator endpoint

References

• https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6
• https://github.com/advisories/GHSA-w3x5-427h-wfq6