5.5

CVE-2022-22946

EPSS 0.98%
Published 04.03.2022 16:15:10
Last modified 21.11.2024 06:47:39
Source security@vmware.com
Teams watchlist Login
Open Login

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Spring Cloud Gateway Version3.1.0

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Cloud Native Core Binding Support Function Version22.1.3

Oracle ≫ Communications Cloud Native Core Console Version22.2.0

Oracle ≫ Communications Cloud Native Core Network Repository Function Version22.1.2

Oracle ≫ Communications Cloud Native Core Network Repository Function Version22.2.0

Oracle ≫ Communications Cloud Native Core Security Edge Protection Proxy Version22.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.98%	0.758

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://tanzu.vmware.com/security/cve-2022-22946

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-22946

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-22946

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-22946

EUVD