CVE-2022-22947

VMware Spring Cloud Gateway Code Injection Vulnerability

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

En spring cloud gateway versiones anteriores a 3.1.1+ y a 3.0.7+ , las aplicaciones son vulnerables a un ataque de inyección de código cuando el endpoint del Actuador de la Puerta de Enlace está habilitado, expuesto y sin seguridad. Un atacante remoto podría realizar una petición maliciosamente diseñada que podría permitir una ejecución remota arbitraria en el host remoto

Spring Cloud Gateway version 3.1.0 suffers from a remote code execution vulnerability.

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-03-03 CVE Published
2022-03-03 First Exploit
2022-05-16 Exploited in Wild
2022-06-06 KEV Due Date
2024-08-03 CVE Updated
2024-08-29 EPSS Updated

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (31)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/50799	2022-03-07
https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947	2022-03-03
https://github.com/0x7eTeam/CVE-2022-22947	2022-03-08
https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway	2022-03-04
https://github.com/crowsec-edtech/CVE-2022-22947	2022-03-04
https://github.com/0730Nophone/CVE-2022-22947-	2022-05-16
https://github.com/Wrin9/CVE-2022-22947	2022-03-17
https://github.com/M0ge/CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE	2022-03-09
https://github.com/nanaao/CVE-2022-22947-POC	2022-03-04
https://github.com/hunzi0/CVE-2022-22947-Rce_POC	2022-03-04
https://github.com/Greetdawn/CVE-2022-22947	2022-03-04
https://github.com/mrknow001/CVE-2022-22947	2022-03-08
https://github.com/Zh0um1/CVE-2022-22947	2023-06-21
https://github.com/4nNns/CVE-2022-22947	2022-09-16
https://github.com/Le1a/CVE-2022-22947	2023-05-27
https://github.com/stayfoolish777/CVE-2022-22947-POC	2022-06-09
https://github.com/SiJiDo/CVE-2022-22947	2022-08-23
https://github.com/Nathaniel1025/CVE-2022-22947	2022-03-25
https://github.com/Summer177/Spring-Cloud-Gateway-CVE-2022-22947	2022-03-04
https://github.com/LY613313/CVE-2022-22947	2022-08-03
https://github.com/dbgee/CVE-2022-22947	2022-03-04
https://github.com/22ke/CVE-2022-22947	2022-03-05
https://github.com/aesm1p/CVE-2022-22947-POC-Reproduce	2022-04-05
https://github.com/Jun-5heng/CVE-2022-22947	2022-03-29
https://github.com/BerMalBerIst/CVE-2022-22947	2022-03-04
https://github.com/bysinks/CVE-2022-22947	2022-03-15
http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html	2024-08-03
http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html	2024-08-03

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-07-24
https://www.oracle.com/security-alerts/cpujul2022.html	2023-07-24

URL	Date	SRC
https://tanzu.vmware.com/security/cve-2022-22947	2023-07-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Spring Cloud Gateway Search vendor "Vmware" for product "Spring Cloud Gateway"				< 3.0.7 Search vendor "Vmware" for product "Spring Cloud Gateway" and version " < 3.0.7"		-		Affected
Vmware Search vendor "Vmware"		Spring Cloud Gateway Search vendor "Vmware" for product "Spring Cloud Gateway"				3.1.0 Search vendor "Vmware" for product "Spring Cloud Gateway" and version "3.1.0"		-		Affected
Oracle Search vendor "Oracle"		Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search"				11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"				1.11.0 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"				22.1.3 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "22.1.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Exposure Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				1.15.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				22.1.2 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.1.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				22.1.1 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "22.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.15.0"		-		Affected