CVE-2022-31733

EPSS 0.12%
Veröffentlicht 03.02.2023 19:15:11
Zuletzt bearbeitet 25.03.2025 20:15:13
Quelle security@vmware.com
Teams Watchlist Login
Unerledigt Login

Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cloudfoundry ≫ Cf-deployment Version >= 17.1 <= 23.2.0

Cloudfoundry ≫ Diego Version >= 2.55.0 <= 2.69.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.283

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://www.cloudfoundry.org/blog/cve-2022-31733-unsecured-application-port

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31733

EUVD