Critical severityCISA KEVNVD Advisory· Published Mar 3, 2022· Updated Oct 21, 2025
CVE-2022-22947
CVE-2022-22947
Description
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.cloud:spring-cloud-gatewayMaven | < 3.0.7 | 3.0.7 |
org.springframework.cloud:spring-cloud-gatewayMaven | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
1- Spring/spring cloud gatewaydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-3gx9-37ww-9qw6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22947ghsaADVISORY
- packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlghsaWEB
- packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlghsaWEB
- tanzu.vmware.com/security/cve-2022-22947ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
News mentions
0No linked articles in our index yet.