BestHub
Sign in
Information Security 5 min read

Critical Spring Cloud Gateway Vulnerabilities (CVE-2022-22946 & 22947) – Risks and Fixes

On March 1 2022 Spring released two critical CVEs (22946 and 22947) affecting Spring Cloud Gateway, detailing a remote code execution flaw via exposed Actuator endpoints and an insecure HTTP/2 TrustManager, and provides upgrade and configuration mitigation steps.

Java Backend Technology
Java Backend Technology
Java Backend Technology
Critical Spring Cloud Gateway Vulnerabilities (CVE-2022-22946 & 22947) – Risks and Fixes

Spring Cloud Gateway Vulnerabilities Overview

On March 1, 2022 the Spring team announced two high‑severity CVEs for Spring Cloud Gateway: CVE‑2022‑22947 (remote code execution) and CVE‑2022‑22946 (insecure HTTP/2 TrustManager).

Vulnerability 1 – Remote Code Execution (CVE‑2022‑22947)

If a Spring Cloud Gateway application exposes the Gateway Actuator endpoint, an attacker can exploit a SpEL injection to execute arbitrary code on the host.

Pre‑conditions:

The application uses Spring Boot Actuator and exposes the /actuator/gateway endpoint.

The configuration includes:

# Default true
management.endpoint.gateway.enabled=true

# Comma‑separated list of exposed endpoints (default includes health)
# Including "gateway" exposes the Gateway actuator endpoint
management.endpoints.web.exposure.include=gateway

Affected versions:

Spring Cloud Gateway 3.1.x < 3.1.1

Spring Cloud Gateway 3.0.x < 3.0.7

Other older, unsupported versions

Mitigation:

Upgrade to Spring Cloud Gateway 3.1.1 or 3.0.7.

Or disable the Gateway actuator endpoint by setting:

management.endpoint.gateway.enabled=false

Vulnerability 2 – Insecure TrustManager (CVE‑2022‑22946)

When HTTP/2 is enabled without configuring a keystore or trusted certificates, Spring Cloud Gateway uses an insecure TrustManager, allowing connections to remote services with invalid or custom certificates.

Affected version: Spring Cloud Gateway 3.1.0.

Mitigation: Upgrade to Spring Cloud Gateway 3.1.1 or later.

References:

https://tanzu.vmware.com/security/cve-2022-22946

https://tanzu.vmware.com/security/cve-2022-22947

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Remote Code ExecutionSecurity PatchSpring Cloud GatewayCVE-2022-22946CVE-2022-22947
Java Backend Technology
Written by

Java Backend Technology

Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment