vulnerability
VMWare Spring Cloud Gateway: CVE-2022-22947: Improper Control of Generation of Code
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Mar 3, 2022 | Aug 22, 2025 | Aug 22, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Mar 3, 2022
Added
Aug 22, 2025
Modified
Aug 22, 2025
Description
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Solution
vmware-spring-cloud-gateway-upgrade-latest
References
- CVE-2022-22947
- https://attackerkb.com/topics/CVE-2022-22947
- URL-http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- URL-http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- URL-https://tanzu.vmware.com/security/cve-2022-22947
- URL-https://www.oracle.com/security-alerts/cpuapr2022.html
- URL-https://www.oracle.com/security-alerts/cpujul2022.html
- CWE-94
- CWE-917
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.