Two vulnerabilities in Spring Cloud Gateway have been identified and fixed. Versions 3.1.1 and 3.0.7 were released to address the vulnerabilities. Please see the CVE reports below for specific upgrade and mitigation instructions:
- CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
- CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager
Spring Cloud users should upgrade to 2021.0.1 (which includes 3.1.1) or for 2020.0.x users should upgrade Spring Cloud Gateway to 3.0.7.