CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2022-22947

CVSS 10.0v3.1pub. 2022-03-03upd. 2025-10-30

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Oracle Commerce Guided Search

    APP
    Oracle
    11.3.2
  • Oracle Communications Cloud Native Core Binding Support Function

    APP
    Oracle
    1.11.022.1.3
  • Oracle Communications Cloud Native Core Console

    APP
    Oracle
    22.2.0
  • Oracle Communications Cloud Native Core Network Exposure Function

    APP
    Oracle
    22.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment

    APP
    Oracle
    1.10.0
  • Oracle Communications Cloud Native Core Network Repository Function

    APP
    Oracle
    1.15.01.15.122.1.222.2.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.8.022.1.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy

    APP
    Oracle
    22.1.1
  • Oracle Communications Cloud Native Core Service Communication Proxy

    APP
    Oracle
    1.15.0
  • VMware Spring Cloud Gateway

    APP
    Vmware
    3.1.0< 3.0.7

CISA KEV — detailsi

Vendori
VMware
Producti
Spring Cloud Gateway
Added to KEVi
May 16, 2022
Remediation deadline (US Federal)i
June 6, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 6 czerwca 2022
CWE
References

Related vulnerabilities

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2021-3773CRITICAL9.8ten sam produkt

A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information ...

CVE-2022-23221CRITICAL9.8ten sam produkt

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL contain...

CVE-2022-23219CRITICAL9.8ten sam produkt

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) throug...