Cybersecurity specialists report the detection of two vulnerabilities in VMware Spring Cloud Gateway, a library for creating API gateways over Spring and Java for a flexible way to route requests based on a number of criteria. According to the report, the exploitation of these flaws could lead to dangerous hacking scenarios.
Below are brief descriptions of the reported security flaws in addition to their tracking keys and score according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-22947: Code injection when the Gateway Actuator endpoint is enabled would allow remote threat actors to send specially crafted HTTP POST requests to execute arbitrary code on the affected system.
This is a highly severe vulnerability and received a CVSS score of 9/10 as it could be remotely exploited by non-authenticated malicious hackers.
CVE-2022-22946: A security evasion issue when using TrustManager HTTP2 would allow local users to send a specially crafted request and connect to remote services with invalid or custom certificates.
This is a low severity failure and received a CVSS score of 4.8/10. This issue can be exploited locally, so the attacker must be authenticated on the compromised system.
The flaws reside in Spring Cloud Gateway versions between v3.0.0 and 3.1.0.
While there are publicly available exploits for these flaws, so far no active exploitation attempts related to these reports have been detected. However, the developers recommend addressing the flaws as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.