CVE-2022-22946
Last modified
CVE-2022-22946 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.. EPSS estimates a 4.73% chance of exploitation in the next 30 days.
Description
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Cloud Gateway | 3.1.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Console | 22.2.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.2 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.2.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
References
- https://tanzu.vmware.com/security/cve-2022-22946Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22946Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-22946?
How severe is CVE-2022-22946?
How do I fix CVE-2022-22946?
Are you affected by CVE-2022-22946?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST