CVE-2022-22947: Code Execution vulnerability on Vmware Spring Cloud Gateway

Vulnerability Details : CVE-2022-22947

CVE Name: CVE-2022-22947: Code Execution vulnerability on Vmware Spring Cloud Gateway

Description: In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Publish date: 2022-03-03T22:15Z

Last Update: 2022-04-20T00:16Z

CVSS Scores & Vulnerability Types

CVSS Score	10.0
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH
Actack Vector	NETWORK
Actack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	CHANGED
Vulnerability Type(s)	Code Execution
CWE ID	94

Products Affected By CVE-2022-22947

#	Vendor	Product	Vulnerable Versions
1	Vmware	Spring Cloud Gateway	2

Detail of Verions Affected

#	Product Type	Vendor	Product	Version
1	Application	Vmware	Spring Cloud Gateway	*
2	Application	Vmware	Spring Cloud Gateway	3.1.0

References For CVE-2022-22947

Hyperlink	Resource
https://tanzu.vmware.com/security/cve-2022-22947	Mitigation, Vendor Advisory
http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html	Exploit, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html