CVE-2022-22947

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.47-alt1 through 2.4.57-alt2 Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+

Description The Apache HTTP Server is affected by HTTP request splitting with mod rewrite and mod proxy (CVE-2023-25690). Additionally, a server-side request forgery (SSRF) issue exists in mod proxy when handling crafted request URI paths containing "unix:" (CVE-2021-40438). A buffer overflow is possible in mod lua when parsing multipart content (CVE-2021-44790). Spring Cloud Gateway is vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured, potentially allowing remote code execution.

Recommendations Update Apache HTTP Server to version 2.4.57-alt2 or later. Update Spring Cloud Gateway to version 3.1.1+ or 3.0.7+ or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-917

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-3013

ALT-PU-2021-3018

ALT-PU-2021-3037

ALT-PU-2021-3060

BDU:2022-01507

CVE-2022-22947

GHSA-3GX9-37WW-9QW6

Affected Products

Spring Cloud Gateway

CVE-2022-22947

Weakness Enumeration

Related Identifiers

Affected Products

References · 93