GHSA-3gx9-37ww-9qw6 · Severity: critical · Ecosystem: maven — Spring Cloud Gateway vulnerable to Code Injection when Gateway Actuator endpoint enabled, exposed, unsecured
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Conclusion & alert: CVE-2022-22947 is rated Critical Active Threat (100/100): CVSS Critical severity, with high exploitation likelihood (EPSS 98.25%, 100th percentile). Core evidence: CISA KEV confirms active exploitation (added 2022-05-16) affecting VMware / Spring Cloud Gateway. a weakness (CWE-917) Unauthenticated remote administrative access may be possible. EPSS rose +3.79% over the last day, indicating growing attacker interest. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: VMware Spring Cloud Gateway Code Injection Vulnerability · CISA KEV detail
: 2022-05-16
: 2022-06-06
: Apply updates per vendor instructions.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 50799 | exploit_db | edb | 2022-03-07 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 94.46% | 98.25% | +3.79% |
| 2 | 2025-11-21 | 94.34% | 94.46% | +0.12% |
| 3 | 2025-11-18 | — | 94.34% | — |
Full EPSS history (17 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
GHSA-3gx9-37ww-9qw6 · Severity: critical · Ecosystem: maven — Spring Cloud Gateway vulnerable to Code Injection when Gateway Actuator endpoint enabled, exposed, unsecured
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| vmware | spring_cloud_gateway | < 3.0.7 | cpe:2.3:a:vmware:spring_cloud_gateway:*:*:*:*:*:*:*:* |
| vmware | spring_cloud_gateway | 3.1.0 | cpe:2.3:a:vmware:spring_cloud_gateway:3.1.0:*:*:*:*:*:*:* |
| oracle | commerce_guided_search | 11.3.2 | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 1.11.0 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 22.1.3 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_console | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_exposure_function | 22.1.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | 1.10.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 1.15.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 1.15.1 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 22.1.2 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.8.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 22.1.1 | cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_service_communication_proxy | 1.15.0 | cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
| http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
| https://tanzu.vmware.com/security/cve-2022-22947 | Mitigation Vendor Advisory |
| https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22947 | US Government Resource |