Spring Cloud Gateway Vulnerabilities CVE-2022-22946 and CVE-2022-22947: Description, Impact, and Mitigation

Spring Cloud Gateway, a project under Spring Cloud built on Spring 5.0, Spring Boot 2.0, and Project Reactor, provides a unified API routing solution for micro‑service architectures.

Vulnerability 1: Remote Code Execution (CVE-2022-22947)

On March 1, 2022, VMware released a security advisory fixing a command‑injection flaw in Spring Cloud Gateway (CVE-2022-22947). If the Gateway Actuator endpoint is exposed, an attacker can execute arbitrary SpEL expressions, leading to remote code execution and system compromise.

Impact Conditions

The application uses Spring Cloud Gateway together with Spring Boot Actuator exposing the /actuator/gateway endpoint.

The gateway endpoint is enabled in configuration, e.g.:

# default is true
management.endpoint.gateway.enabled=true
# expose gateway endpoint via actuator
management.endpoints.web.exposure.include=gateway

Affected Versions

Spring Cloud Gateway 3.1.x < 3.1.1

Spring Cloud Gateway 3.0.x < 3.0.7

Other older, unsupported releases

Mitigation

Upgrade to a safe version: Spring Cloud Gateway 3.1.1 or 3.0.7.

Alternatively, disable the gateway actuator endpoint by setting management.endpoint.gateway.enabled=false in application.properties .

Vulnerability 2: Insecure TrustManager in HTTP/2 (CVE-2022-22946)

This flaw affects Spring Cloud Gateway 3.1.0 when HTTP/2 is enabled without proper keystore or trusted certificates, causing the gateway to use an insecure TrustManager that accepts invalid or custom certificates for outbound connections.

Mitigation

Upgrade to Spring Cloud Gateway 3.1.1 or later, which includes the security fix.

References

https://tanzu.vmware.com/security/cve-2022-22946

https://tanzu.vmware.com/security/cve-2022-22947