CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Jun 6, 2022
Description
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
CVSS Score
10/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HEPSS — Exploit Probability
94.5%
Higher than 100.0% of all CVEs
Weakness Classification (CWE)
Known Exploits
POChttp://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlExploithttp://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlExploithttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatchhttps://www.oracle.com/security-alerts/cpujul2022.htmlPatchhttp://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlExploithttp://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.htmlExploithttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatchhttps://www.oracle.com/security-alerts/cpujul2022.htmlPatch
Required Action
https://nvd.nist.gov/vuln/detail/CVE-2022-22947
Risk Assessment
CRITICALIn CISA KEV
Known exploit
Critical CVSS
High EPSS
Details
- Severity
- High
- CVSS
- 10
- EPSS
- 94.5%
- CWE
- CWE-94
- Exploit
- POC
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 0
Timeline
Published
May 16, 2022
Added to KEV
May 16, 2022
Remediation Due
Jun 6, 2022