Api Gateway and CVE-2022-22970 and CVE-2022-22971
search cancel

Api Gateway and CVE-2022-22970 and CVE-2022-22971


Article ID: 254559


Updated On:


CA Mobile API Gateway


Is API Gateway Vulnerable to CVE-2022-22970 and CVE-2022-22971


API Gateway 10, 10.1


As of now.

Though the scan flagged this CVEs, Gateway is not affected by them because Layer7 Gateway does not use Spring's parameter/data binding feature and also STOMP messaging with Spring. 

CVE description says: 'A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.'

It is a medium-severity issue and Gateway does not use a data-binding feature so there is no way it can be exploited even if it exists in the VM.

Additional Information