Is API Gateway Vulnerable to CVE-2022-22970 and CVE-2022-22971
API Gateway 10, 10.1
As of now.
Though the scan flagged this CVEs, Gateway is not affected by them because Layer7 Gateway does not use Spring's parameter/data binding feature and also STOMP messaging with Spring.
CVE description says: 'A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.'
It is a medium-severity issue and Gateway does not use a data-binding feature so there is no way it can be exploited even if it exists in the VM.