CVE-2022-22947: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

March 4, 2022 (updated March 8, 2022)

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+, applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

References

github.com/advisories/GHSA-3gx9-37ww-9qw6
nvd.nist.gov/vuln/detail/CVE-2022-22947
tanzu.vmware.com/security/cve-2022-22947

Code Behaviors & Features

Detect and mitigate CVE-2022-22947 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →