Critical code injection vulnerabilities in VMware Spring Cloud Gateway

Cybersecurity specialists report the detection of two vulnerabilities in VMware Spring Cloud Gateway, a library for creating API gateways over Spring and Java for a flexible way to route requests based on a number of criteria. According to the report, the exploitation of these flaws could lead to dangerous hacking scenarios.

Below are brief descriptions of the reported security flaws in addition to their tracking keys and score according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-22947: Code injection when the Gateway Actuator endpoint is enabled would allow remote threat actors to send specially crafted HTTP POST requests to execute arbitrary code on the affected system.

This is a highly severe vulnerability and received a CVSS score of 9/10 as it could be remotely exploited by non-authenticated malicious hackers.

CVE-2022-22946: A security evasion issue when using TrustManager HTTP2 would allow local users to send a specially crafted request and connect to remote services with invalid or custom certificates.

This is a low severity failure and received a CVSS score of 4.8/10. This issue can be exploited locally, so the attacker must be authenticated on the compromised system.

The flaws reside in Spring Cloud Gateway versions between v3.0.0 and 3.1.0.

While there are publicly available exploits for these flaws, so far no active exploitation attempts related to these reports have been detected. However, the developers recommend addressing the flaws as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.