What is CVE-2022-23463?

CVE-2022-23463 is a critical-severity vulnerability in Nepxion Discover, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). CVSS score: 9.4/10. Published 2022-09-24.

How severe is CVE-2022-23463?

Critical severity. CVSS v3 base score is 9.4 out of 10.

RCE in Nepxion Discover

CVE-2022-23463

Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression t…

Vulnerability class: Log4Shell (CVE-2021-44228)

EPSS: 0.013 (79.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.

Affected products

Nepxion Discover — versions 6.16.2

Weakness classification (CWE)

CWE-917 — Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)

References

securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-23463?: CVE-2022-23463 is a critical-severity vulnerability in Nepxion Discover, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). CVSS score: 9.4/10. Published 2022-09-24.
How severe is CVE-2022-23463?: Critical severity. CVSS v3 base score is 9.4 out of 10.