search cancel

Api Gateway and CVE-2022-22970 and CVE-2022-22971

book

Article ID: 254559

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Is the API Gateway Vulnerable to CVE-2022-22970 and CVE-2022-22971

Environment

CA API Gateway 10, 10.1, 11.0

Resolution

Though the scan flagged these CVEs, the Gateway is not affected by them because the Gateway does not use Spring's parameter/data binding feature and also STOMP messaging with Spring.

The CVE description says: 'A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.'

It is a medium-severity issue and the Gateway does not use a data-binding feature so there is no way it can be exploited even if it exists in the VM.