Maven package
org.springframework.cloud/spring-cloud-gateway
pkg:maven/org.springframework.cloud/spring-cloud-gateway
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22750 | Hig | 7.5 | >= 4.2.0, < 4.2.1 | 4.2.1 | Apr 10, 2026 | When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using S | |
| CVE-2022-22947 | — | KEV | < 3.0.7 | 3.0.7 | Mar 3, 2022 | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote | |
| CVE-2021-22051 | — | >= 3.0.0, < 3.0.5 | 3.0.5 | Nov 8, 2021 | Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2 |
- affected >= 4.2.0, < 4.2.1fixed 4.2.1
When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using S
- affected < 3.0.7fixed 3.0.7
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote
- CVE-2021-22051Nov 8, 2021affected >= 3.0.0, < 3.0.5fixed 3.0.5
Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2