CVE-2022-22947 — CRITICAL (10.0)

Q: How severe is CVE-2022-22947?

CVE-2022-22947 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-22947?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Cloud Gateway, Oracle Commerce Guided Search, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Exposure Function.

Vulnerability Description

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Vmware	Spring Cloud Gateway	< 3.0.7
Oracle	Commerce Guided Search	11.3.2
Oracle	Communications Cloud Native Core Binding Support Function	1.11.0
Oracle	Communications Cloud Native Core Console	22.2.0
Oracle	Communications Cloud Native Core Network Exposure Function	22.1.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0
Oracle	Communications Cloud Native Core Network Repository Function	1.15.0
Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	22.1.1
Oracle	Communications Cloud Native Core Service Communication Proxy	1.15.0

Related Weaknesses (CWE)

CWE-94 CWE-917

References

http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-CoExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-CoExploitThird Party AdvisoryVDB Entry
https://tanzu.vmware.com/security/cve-2022-22947MitigationVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-CoExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-CoExploitThird Party AdvisoryVDB Entry
https://tanzu.vmware.com/security/cve-2022-22947MitigationVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-US Government Resource

FAQ

What is CVE-2022-22947?

CVE-2022-22947 is a vulnerability with a CVSS score of 10.0 (CRITICAL). In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote atta...

How severe is CVE-2022-22947?

CVE-2022-22947 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-22947?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Cloud Gateway, Oracle Commerce Guided Search, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Exposure Function.