Chinese project maintainer appears to have closed the public issue without offering a patch.

Nepxion Discovery Software, an open-source project that offers functionality for the Spring Cloud framework, contains an unpatched remote code execution (RCE) vulnerability.

On September 9, information about the vulnerability and another information disclosure bug in Nepxion Discovery was made public by security researchers from the GitHub Security Lab (GHSL).

A firm with a basis in China named Nepxion manages a number of Spring Cloud-related open-source projects.

Despite having over 1,300 forks, the Nepxion Discovery GitHub page’s security policy page and security advisories tab are both suppressed.

SpEL injection

The most serious flaw is identified as GHSL-2022-033 (CVE-2022-23463). According to GHSL researcher Jorge Rosillo, is a fundamental problem in the discovery-commons function that makes the programme susceptible to SpEL Injection.

Attacks using SpEL Injection happen when there isn’t enough security to prevent user input from going straight to a SpEL expression parser. Two endpoints in this scenario translate user input into expressions and transmit them. And allow input to communicate with Java classes, including java.lang. Runtime, resulting in RCE.

This vulnerability was given a CVSS score of 9.8 due to its seriousness.

A server-side request forgery (SSRF) weakness with the tracking number GHSL-2022-033 (CVE-2022-23464). And a GitHub score of 4.3 (NIST 7.5) is the second problem, which could lead to data leakage.

No patch has been released, and neither vulnerability has a known workaround, according to the GHSL. Nepxion Discovery versions 6.16.2 and earlier are affected by the problems.

On May 22, the cybersecurity researchers gave Nepxion a confidential presentation of their results. The team asked for a security contact in June, and when they didn’t hear back, a public problem was created on June 20.

On August 9, the maintainers closed the open issue.

The deadline for the usual vulnerability disclosure process had passed by August 21. As a result, assigned CVE-2022-23463 and CVE-2022-23464 and spread awareness in public.

In response to our request for comment, GitHub directed us to the initial disclosure.