search cancel

Api Gateway and CVE-2022-22970 and CVE-2022-22971

book

Article ID: 254559

calendar_today

Updated On:

Products

CA Mobile API Gateway

Issue/Introduction

Is API Gateway Vulnerable to CVE-2022-22970 and CVE-2022-22971

Environment

API Gateway 10, 10.1

Resolution

As of now.

Though the scan flagged this CVEs, Gateway is not affected by them because Layer7 Gateway does not use Spring's parameter/data binding feature and also STOMP messaging with Spring. 


CVE description says: 'A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.'

It is a medium-severity issue and Gateway does not use a data-binding feature so there is no way it can be exploited even if it exists in the VM.

Additional Information

DE539685