{"id":"CVE-2022-22947","details":"In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.","aliases":["GHSA-3gx9-37ww-9qw6"],"modified":"2025-11-14T12:56:00.800895Z","published":"2022-03-03T22:15:08.673Z","references":[{"type":"ADVISORY","url":"https://tanzu.vmware.com/security/cve-2022-22947"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22947"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-cloud/spring-cloud-gateway","events":[{"introduced":"0"},{"fixed":"2b4b39598dbbb7baa8426a283050a5b9490bb28b"}]}],"versions":["v1.0.0.M1","v1.0.0.RC1","v1.0.0.RELEASE","v1.0.1.RELEASE","v2.0.0.M1","v2.0.0.M2","v2.0.0.M3","v2.0.0.M4","v2.0.0.M5","v2.0.0.M6","v2.0.0.M7","v2.0.0.M8","v2.0.0.M9","v2.0.0.RC1","v2.0.0.RC2","v2.0.0.RELEASE","v2.0.1.RELEASE","v2.0.2.RELEASE","v2.0.3.RELEASE","v2.1.0.M1","v2.1.0.M2","v2.1.0.M3","v2.1.0.RC1","v2.1.0.RC2","v2.1.0.RC3","v2.1.0.RELEASE","v2.1.1.RELEASE","v2.1.3.RELEASE","v2.1.4.RELEASE","v2.2.0.M2","v2.2.0.M3","v2.2.0.RC1","v2.2.0.RC2","v2.2.0.RELEASE","v2.2.1.RELEASE","v2.2.2.RELEASE","v2.2.3.RELEASE","v2.2.4.RELEASE","v2.2.5.RELEASE","v2.2.6.RELEASE","v2.2.7.RELEASE","v2.2.8.RELEASE","v3.0.0","v3.0.0-M2","v3.0.0-M3","v3.0.0-M4","v3.0.0-M5","v3.0.0-M6","v3.0.0-RC1","v3.0.0.M1","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22947.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}