Spring Security Advisories

CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

CRITICAL | MARCH 01, 2022 | CVE-2022-22947

Description

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected Spring Products and Versions

  • Spring Cloud Gateway
    • 3.1.0
    • 3.0.0 to 3.0.6
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required it should be secured using Spring Security, see https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security. Releases that have fixed this issue include:

  • Spring Cloud Gateway
    • 3.1.1+
    • 3.0.7+

Credit

This vulnerability was discovered and responsibly reported by Wyatt Dahlenburg.

History

  • 2022-03-01: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all