Description

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected Spring Products and Versions

• Spring Cloud Gateway
  • 3.1.0
  • 3.0.0 to 3.0.6
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required it should be secured using Spring Security, see https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security. Releases that have fixed this issue include:

• Spring Cloud Gateway
  • 3.1.1+
  • 3.0.7+

Credit

This vulnerability was discovered and responsibly reported by Wyatt Dahlenburg.

References

• https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

History

• 2022-03-01: Initial vulnerability report published.