Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-22946

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Published

2022-03-04T16:15:10.377

Last Modified

2024-11-21T06:47:39.557

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:N/I:P/A:N

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_cloud_gateway	3.1.0	Yes
Application	oracle	commerce_guided_search	11.3.2	Yes
Application	oracle	communications_cloud_native_core_binding_support_function	22.1.3	Yes
Application	oracle	communications_cloud_native_core_console	22.2.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	22.1.2	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	22.2.0	Yes
Application	oracle	communications_cloud_native_core_security_edge_protection_proxy	22.1.1	Yes

References

https://tanzu.vmware.com/security/cve-2022-22946 Vendor Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://tanzu.vmware.com/security/cve-2022-22946 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)