Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

Published

2022-05-19T15:15:08.000

Last Modified

2024-11-21T06:47:43.560

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-190
  • Type: Primary
    CWE-190
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application vmware spring_security < 5.5.7 Yes
Application vmware spring_security < 5.6.4 Yes
Application vmware spring_security 5.2.0 Yes
Application oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0 Yes
Application oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0 Yes
Application netapp active_iq_unified_manager - Yes
Application netapp active_iq_unified_manager - Yes
Application netapp active_iq_unified_manager - Yes
References