CRITICAL🚩 CISA KEV⚡ EXPLOIT🇬🇧 English

CVE-2022-22947

CVSS 10.0v3.1pub. 2022-03-03upd. 2025-10-30

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Oracle Commerce Guided Search

    APP
    Oracle
    11.3.2
  • Oracle Communications Cloud Native Core Binding Support Function

    APP
    Oracle
    1.11.022.1.3
  • Oracle Communications Cloud Native Core Console

    APP
    Oracle
    22.2.0
  • Oracle Communications Cloud Native Core Network Exposure Function

    APP
    Oracle
    22.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment

    APP
    Oracle
    1.10.0
  • Oracle Communications Cloud Native Core Network Repository Function

    APP
    Oracle
    1.15.01.15.122.1.222.2.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.8.022.1.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy

    APP
    Oracle
    22.1.1
  • Oracle Communications Cloud Native Core Service Communication Proxy

    APP
    Oracle
    1.15.0
  • VMware Spring Cloud Gateway

    APP
    Vmware
    3.1.0< 3.0.7

CISA KEV — szczegółyi

Dostawcai
VMware
Produkti
Spring Cloud Gateway
Data dodania do KEVi
16 maja 2022
Termin remediation (USA)i
6 czerwca 2022(po terminie)
Wymagana akcja (CISA)i

Zastosuj aktualizacje zgodnie z instrukcjami producenta.

tłumaczenie AI
Pokaż oryginał (EN)

Apply updates per vendor instructions.

Opis CISAi

Aplikacje Spring Cloud Gateway są podatne na atak code injection, gdy endpoint Gateway Actuator jest włączony, narażony i niezabezpieczony.

tłumaczenie AI
Pokaż oryginał (EN)

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

🔴
NATYCHMIASTOWE DZIAŁANIE
Aktywnie wykorzystywane w atakach (CISA KEV). Załataj jak najszybciej.
CISA DEADLINE: 6 czerwca 2022
CWE
Referencje

Powiązane podatności

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2021-3773CRITICAL9.8ten sam produkt

A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information ...

CVE-2022-23221CRITICAL9.8ten sam produkt

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL contain...

CVE-2022-23219CRITICAL9.8ten sam produkt

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) throug...