In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HOracle Commerce Guided Search
APPOracle11.3.2Oracle Communications Cloud Native Core Binding Support Function
APPOracle1.11.022.1.3Oracle Communications Cloud Native Core Console
APPOracle22.2.0Oracle Communications Cloud Native Core Network Exposure Function
APPOracle22.1.0Oracle Communications Cloud Native Core Network Function Cloud Native Environment
APPOracle1.10.0Oracle Communications Cloud Native Core Network Repository Function
APPOracle1.15.01.15.122.1.222.2.0Oracle Communications Cloud Native Core Network Slice Selection Function
APPOracle1.8.022.1.0Oracle Communications Cloud Native Core Security Edge Protection Proxy
APPOracle22.1.1Oracle Communications Cloud Native Core Service Communication Proxy
APPOracle1.15.0VMware Spring Cloud Gateway
APPVmware3.1.0< 3.0.7
CISA KEV — szczegółyi
- Dostawcai
- VMware ↗
- Produkti
- Spring Cloud Gateway
- Data dodania do KEVi
- 16 maja 2022
- Termin remediation (USA)i
- 6 czerwca 2022(po terminie)
Zastosuj aktualizacje zgodnie z instrukcjami producenta.
▸ Pokaż oryginał (EN)
Apply updates per vendor instructions.
Aplikacje Spring Cloud Gateway są podatne na atak code injection, gdy endpoint Gateway Actuator jest włączony, narażony i niezabezpieczony.
▸ Pokaż oryginał (EN)
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Powiązane podatności
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information ...
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL contain...
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) throug...