cbcvebase.
CVE-2022-22947
published 2022-03-03

CVE-2022-22947: In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-06
Exploited in the wild
EPSS
98.25%
99.9th percentile
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected

17 ranges
VendorProductVersion rangeFixed in
oraclecommerce_guided_search
oraclecommunications_cloud_native_core_binding_support_function
oraclecommunications_cloud_native_core_binding_support_function
oraclecommunications_cloud_native_core_console
oraclecommunications_cloud_native_core_network_exposure_function
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
oraclecommunications_cloud_native_core_network_repository_function
oraclecommunications_cloud_native_core_network_repository_function
oraclecommunications_cloud_native_core_network_repository_function
oraclecommunications_cloud_native_core_network_repository_function
oraclecommunications_cloud_native_core_network_slice_selection_function
oraclecommunications_cloud_native_core_network_slice_selection_function
oraclecommunications_cloud_native_core_security_edge_protection_proxy
oraclecommunications_cloud_native_core_service_communication_proxy
vmwarespring_cloud_gateway< 3.0.73.0.7
vmwarespring_cloud_gateway
vmwarespring_cloud_gateway

Detection & IOCsextracted from sources · hover to see the quote

url/actuator/gateway/routes
url/gateway/routes
url/gateway/routes/new_route_name
ip169.254.169.254
  • Detect unauthenticated HTTP GET requests to /actuator/gateway/routes or /gateway/routes — a 200 response with JSON fields 'predicate' or 'route_id' confirms the vulnerable endpoint is exposed.
  • Alert on HTTP POST requests to /gateway/routes/<any_route_name> from unauthenticated sources — this is the route-creation step used to inject malicious SpEL expressions for RCE.
  • Monitor for outbound HTTP requests from the Spring Cloud Gateway process to 169.254.169.254 (AWS IMDS), which indicates SSRF abuse via a crafted malicious route.
  • Detect SpEL (Spring Expression Language) injection patterns in POST body payloads to /gateway/routes/* endpoints — exploitation uses SpEL expressions to achieve RCE.
  • Scope detection to Spring Cloud Gateway versions 3.1.0, 3.0.0–3.0.6, and older unsupported versions — these are the confirmed vulnerable versions.
  • ·The Gateway Actuator endpoint is NOT exposed by default — exploitation requires an explicit misconfiguration enabling unauthenticated public access.
  • ·The SSRF abuse path to AWS IMDS only succeeds if IMDSv1 is enabled on the host; IMDSv2 (the AWS default for new instances) blocks this attack vector.
  • ·28% of cloud environments using Spring Cloud Gateway were observed running vulnerable versions (3.1.0, 3.0.0–3.0.6), indicating broad real-world exposure.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_oracle10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.