VMware Spring Cloud Gateway 3.0 < 3.0.7 / 3.1 < 3.1.1 Code Injection

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(163631);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/17");

  script_cve_id("CVE-2022-22947");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/06");

  script_name(english:"VMware Spring Cloud Gateway 3.0 < 3.0.7 / 3.1 < 3.1.1 Code Injection");

  script_set_attribute(attribute:"synopsis", value:
"Spring Cloud Gateway running on the remote host is affected by a code injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Spring Cloud Gateway running on the remote host is affected by a code injection vulnerability.
Applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and
unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the
remote host.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tanzu.vmware.com/security/cve-2022-22947");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Spring Cloud Gateway version 3.0.7, 3.1.1, or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-22947");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Spring Cloud Gateway Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/03/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:spring_cloud_gateway");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_spring_cloud_gateway_installed.nbin");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Spring Cloud Gateway');

var constraints = [
  {'min_version' : '3.0', 'fixed_version' : '3.0.7'},
  {'min_version' : '3.1', 'fixed_version' : '3.1.1'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);