CVE-2022-22947: 
Java vulnerability analysis and mitigation

CVE-2022-22947 is a critical code injection vulnerability affecting Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+. The vulnerability was discovered and reported by Wyatt Dahlenburg and publicly disclosed on March 1, 2022. The vulnerability affects applications using Spring Cloud Gateway when the Gateway Actuator endpoint is enabled, exposed, and unsecured (Spring Security, CVE Mitre).

The vulnerability stems from Spring Expression Language (SpEL) expressions being passed to the StandardEvaluationContext context, which allows any valid SpEL expression passed to the context to be executed. The vulnerability has received a CVSS v3.0 base score of 10.0 (Critical), indicating the highest severity level. The attack vector is network-based, with low attack complexity, requiring no privileges or user interaction (AttackerKB).

A successful exploitation of this vulnerability allows a remote attacker to make maliciously crafted requests that could lead to arbitrary remote code execution on the affected host. The vulnerability has critical impact ratings for confidentiality, integrity, and availability (Spring Security).

Users of affected versions should upgrade to Spring Cloud Gateway version 3.1.1+ (for 3.1.x users) or version 3.0.7+ (for 3.0.x users). If the Gateway actuator endpoint is not needed, it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required, it should be secured using Spring Security. The vulnerability has been fixed in Spring Cloud Gateway versions 3.1.1+ and 3.0.7+ (Spring Security).