Grails® data binding causes JVM crash and/or DoS
Package
Affected versions
>= 6.0.0, < 6.1.0
>= 5.0.0, < 5.3.4
>= 4.0.0, < 4.1.3
>= 3.0.0, < 3.3.17
>= 2.0.0, < 3.0.0
Patched versions
6.1.0
5.3.4
4.1.3
3.3.17
Impact
A specially crafted web request can lead to a JVM crash or denial of service. Any Grails® framework application using Grails data binding is vulnerable.
Patches
Patches are available for Grails 3 and later.
Workarounds
No workaround is possible except to avoid data binding to request data.
References