Sign-up

ID

VAR-202203-0234


CVE

CVE-2022-22946


TITLE

spring cloud gateway  Certificate validation vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007989

DESCRIPTION

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates. spring cloud gateway Exists in a certificate validation vulnerability.Information may be tampered with

Trust: 1.8

sources: NVD: CVE-2022-22946 // JVNDB: JVNDB-2022-007989 // VULHUB: VHN-411806 // VULMON: CVE-2022-22946

AFFECTED PRODUCTS

vendor:vmwaremodel:spring cloud gatewayscope:eqversion:3.1.0

Trust: 1.0

vendor:oraclemodel:communications cloud native core binding support functionscope:eqversion:22.1.3

Trust: 1.0

vendor:oraclemodel:communications cloud native core security edge protection proxyscope:eqversion:22.1.1

Trust: 1.0

vendor:oraclemodel:communications cloud native core network repository functionscope:eqversion:22.1.2

Trust: 1.0

vendor:oraclemodel:communications cloud native core network repository functionscope:eqversion:22.2.0

Trust: 1.0

vendor:oraclemodel:commerce guided searchscope:eqversion:11.3.2

Trust: 1.0

vendor:oraclemodel:communications cloud native core consolescope:eqversion:22.2.0

Trust: 1.0

vendor:オラクルmodel:oracle communications cloud native core consolescope: - version: -

Trust: 0.8

vendor:オラクルmodel:oracle commerce guided searchscope: - version: -

Trust: 0.8

vendor:オラクルmodel:oracle communications cloud native core network repository functionscope: - version: -

Trust: 0.8

vendor:vmwaremodel:spring cloud gatewayscope: - version: -

Trust: 0.8

vendor:オラクルmodel:oracle communications cloud native core binding support functionscope: - version: -

Trust: 0.8

vendor:オラクルmodel:oracle communications cloud native core security edge protection proxyscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-007989 // NVD: CVE-2022-22946

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22946
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-22946
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-158
value: MEDIUM

Trust: 0.6

VULHUB: VHN-411806
value: LOW

Trust: 0.1

VULMON: CVE-2022-22946
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-22946
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-411806
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22946
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-22946
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-411806 // VULMON: CVE-2022-22946 // JVNDB: JVNDB-2022-007989 // CNNVD: CNNVD-202203-158 // NVD: CVE-2022-22946

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.1

problemtype:Illegal certificate verification (CWE-295) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-411806 // JVNDB: JVNDB-2022-007989 // NVD: CVE-2022-22946

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-158

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202203-158

PATCH

title:Oracle Critical Patch Update Advisory - July 2022url:https://spring.io/security/cve-2022-22946

Trust: 0.8

title:VMware Spring Cloud Gateway Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184954

Trust: 0.6

title:Spring_CVE_2022_22947 影 响范围 : 缓解方法 : poc漏洞利用: 第二段poc利用: 利用方法:url:https://github.com/wjl110/Spring_CVE_2022_22947

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22946 // JVNDB: JVNDB-2022-007989 // CNNVD: CNNVD-202203-158

EXTERNAL IDS

db:NVDid:CVE-2022-22946

Trust: 3.4

db:JVNDBid:JVNDB-2022-007989

Trust: 0.8

db:CS-HELPid:SB2022030313

Trust: 0.6

db:CNNVDid:CNNVD-202203-158

Trust: 0.6

db:VULHUBid:VHN-411806

Trust: 0.1

db:VULMONid:CVE-2022-22946

Trust: 0.1

sources: VULHUB: VHN-411806 // VULMON: CVE-2022-22946 // JVNDB: JVNDB-2022-007989 // CNNVD: CNNVD-202203-158 // NVD: CVE-2022-22946

REFERENCES

url:https://tanzu.vmware.com/security/cve-2022-22946

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpujul2022.html

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22946

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-22946/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030313

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/295.html

Trust: 0.1

url:https://github.com/wjl110/spring_cve_2022_22947

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-411806 // VULMON: CVE-2022-22946 // JVNDB: JVNDB-2022-007989 // CNNVD: CNNVD-202203-158 // NVD: CVE-2022-22946

SOURCES

db:VULHUBid:VHN-411806
db:VULMONid:CVE-2022-22946
db:JVNDBid:JVNDB-2022-007989
db:CNNVDid:CNNVD-202203-158
db:NVDid:CVE-2022-22946

LAST UPDATE DATE

2024-11-23T20:00:59.890000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-411806date:2023-02-22T00:00:00
db:VULMONid:CVE-2022-22946date:2023-02-22T00:00:00
db:JVNDBid:JVNDB-2022-007989date:2023-07-24T02:03:00
db:CNNVDid:CNNVD-202203-158date:2022-07-26T00:00:00
db:NVDid:CVE-2022-22946date:2024-11-21T06:47:39.557

SOURCES RELEASE DATE

db:VULHUBid:VHN-411806date:2022-03-04T00:00:00
db:VULMONid:CVE-2022-22946date:2022-03-04T00:00:00
db:JVNDBid:JVNDB-2022-007989date:2023-07-24T00:00:00
db:CNNVDid:CNNVD-202203-158date:2022-03-03T00:00:00
db:NVDid:CVE-2022-22946date:2022-03-04T16:15:10.377