CVE-2022-22947

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.47-alt1 through 2.4.57-alt2 Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+

Description The Apache HTTP Server is affected by HTTP request splitting with mod rewrite and mod proxy (CVE-2023-25690). Additionally, a server-side request forgery (SSRF) issue exists in mod proxy when handling crafted request URI paths containing "unix:" (CVE-2021-40438). A buffer overflow is possible in mod lua when parsing multipart content (CVE-2021-44790). Spring Cloud Gateway is vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured, potentially allowing remote code execution.

Recommendations Update Apache HTTP Server to version 2.4.57-alt2 or later. Update Spring Cloud Gateway to version 3.1.1+ or 3.0.7+ or later.