CVE-2022-22946

Name of the Vulnerable Software and Affected Versions Spring Cloud Gateway versions prior to 3.1.1+

Description The issue is related to the implementation of the TrustManager technology for authentication in the Spring Cloud Gateway library, which is used for creating API gateways. It is associated with errors in the certificate authentication confirmation procedure. Exploitation of this issue may allow an attacker to connect to remote services. When HTTP2 is enabled and no key store or trusted certificates are set in applications using Spring Cloud Gateway, an insecure TrustManager is used, allowing the gateway to connect to remote services with invalid or custom certificates.

Recommendations For Spring Cloud Gateway versions prior to 3.1.1+, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider disabling HTTP2 or configuring a key store with trusted certificates to prevent the use of an insecure TrustManager. Restrict access to remote services until the issue is resolved.