Miggo Logo
Miggo Vulnerability Database
CVE-2022-22979

CVE-2022-22979: Denial of Service in Spring Cloud Function

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-22979
GHSA ID
GHSA-q588-3544-8g33
EPSS Score
0.74358%
CWE
CWE-770
Published
6/22/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.cloud:spring-cloud-function-parentmaven< 3.2.63.2.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper caching in the Function Catalog component (CWE-770). The SimpleFunctionRegistry's lookup method is responsible for function resolution and caching. Prior to 3.2.6, this implementation likely used an unbounded cache, allowing attackers to create unlimited cached function entries via crafted requests. This matches the advisory's description of a DoS through framework lookup functionality and aligns with the Function Catalog's role in managing function instances. The web module exposure mentioned in VMware's advisory suggests this lookup path is externally triggerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sprin* *lou* *un*tion v*rsions prior to *.*.*, it is possi*l* *or * us*r w*o *ir**tly int*r**ts wit* *r*m*work provi*** lookup *un*tion*lity to **us* * **ni*l-o*-s*rvi** *on*ition *u* to t** ****in* issu* in t** *un*tion **t*lo* *ompon*nt o* t** *

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****in* in t** *un*tion **t*lo* *ompon*nt (*W*-***). T** Simpl**un*tionR**istry's lookup m*t*o* is r*sponsi*l* *or *un*tion r*solution *n* ****in*. Prior to *.*.*, t*is impl*m*nt*tion lik*ly us** *n un*oun*** ***