Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2022-22947

Disclosure Date: March 03, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Add Assessment

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

CVE-2022-22947 is a remote code execution vulnerability in Spring Cloud Gateway that is currently being exploited in the wild. The vulnerable condition stems from Spring Expression Language (SpEL) expressions being passed to the StandardEvaluationContext context. This means that any valid SpEL expression passed to the context is executed.

Wyatt Dahlenberg provided a proof of concept exploit on his blog, which works on crafted vulnerable applications. In order to expose the interface, you need to modify the applications.properties file for an application using the Spring Cloud Gateway, suggesting that exposure of the vulnerable API is both non-standard and relatively uncommon.

Telemetry from Rapid7’s Project Heisenberg reveals a small number of exploit attempts (and scanners looking for vulnerable applications) over the last two months. This suggests that the scale of exploitation is low at this time.

CVSS V3 Severity and Metrics
Base Score:
10.0 Critical
Impact Score:
6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • oracle,
  • vmware

Products

  • commerce guided search 11.3.2,
  • communications cloud native core binding support function 1.11.0,
  • communications cloud native core binding support function 22.1.3,
  • communications cloud native core console 22.2.0,
  • communications cloud native core network exposure function 22.1.0,
  • communications cloud native core network function cloud native environment 1.10.0,
  • communications cloud native core network repository function 1.15.0,
  • communications cloud native core network repository function 1.15.1,
  • communications cloud native core network repository function 22.1.2,
  • communications cloud native core network repository function 22.2.0,
  • communications cloud native core network slice selection function 1.8.0,
  • communications cloud native core network slice selection function 22.1.0,
  • communications cloud native core security edge protection proxy 22.1.1,
  • communications cloud native core service communication proxy 1.15.0,
  • spring cloud gateway,
  • spring cloud gateway 3.1.0

Exploited in the Wild

Reported by:
Technical Analysis