CVE-2022-35912: 
Java vulnerability analysis and mitigation

CVE-2022-35912 is a critical security vulnerability in the Grails framework's data-binding functionality, discovered by meizjm3i and codeplutos of AntGroup FG Security Lab. The vulnerability affects Grails versions before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1, particularly when running on Java 8 configurations. The issue was disclosed on July 18, 2022, and allows remote attackers to execute code by gaining unauthorized access to the class loader (Grails Blog, GitHub Advisory).

The vulnerability exists in the Grails data-binding logic, which can be triggered through multiple vectors including command objects creation, domain class construction, and manual data binding using bindData. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The exploit is confirmed to work in both embedded Tomcat runtime environments and applications deployed as WAR files to servlet containers (NVD, Grails Blog).

The vulnerability allows attackers to remotely execute code within a Grails application runtime by issuing specially crafted web requests that grant access to the class loader. This affects applications running on Java 8, including both those using embedded Tomcat runtime and those deployed to Servlet Containers (Grails Blog, OSS Security).

The vulnerability has been patched in Grails versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15. Organizations are strongly advised to upgrade to these patched versions immediately. Even applications not directly vulnerable to this specific attack are recommended to update to a patched release due to the nature of the vulnerability. For Grails 3 applications, version 3.3.15 includes the security patch, though it's noted that Grails 3 has reached end of support (Grails Blog, GitHub Advisory).