CVE-2022-31733

EPSS 0.12%
Published 03.02.2023 19:15:11
Last modified 25.03.2025 20:15:13
Source security@vmware.com
Teams watchlist Login
Open Login

Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cloudfoundry ≫ Cf-deployment Version >= 17.1 <= 23.2.0

Cloudfoundry ≫ Diego Version >= 2.55.0 <= 2.69.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.283

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://www.cloudfoundry.org/blog/cve-2022-31733-unsecured-application-port

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31733

EUVD