CVE-2022-22947
| CVE Published | 2022-03-03 |
|---|---|
| Related CWE(s) | CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection'), CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Related Vendor(s) | vmware, oracle |
| Related Product(s) | communications_cloud_native_core_binding_support_function, communications_cloud_native_core_network_slice_selection_function, communications_cloud_native_core_network_exposure_function, commerce_guided_search, communications_cloud_native_core_network_function_cloud_native_environment, communications_cloud_native_core_service_communication_proxy, communications_cloud_native_core_console, communications_cloud_native_core_security_edge_protection_proxy, spring_cloud_gateway, communications_cloud_native_core_network_repository_function |
| Exploitation Reported (CISA KEV) | 2022-05-16 |
| CVSS 3 Base Score | 10.0 (CRITICAL) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | NETWORK |
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph
Threat Reports Related to CVE-2022-22947
Report
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...