All Vulnerability Reports

CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability


Severity

Critical

Vendor

Spring by VMware

Description

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • Spring Cloud Gateway
    • 3.1.0
    • 3.0.0 to 3.0.6
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required it should be secured using Spring Security, see https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security. Releases that have fixed this issue include:

  • Spring Cloud Gateway
    • 3.1.1+
    • 3.0.7+

Credit

This vulnerability was discovered and responsibly reported by Wyatt Dahlenburg.

References

History

2022-03-01: Initial vulnerability report published.