Lucene search

VmwareCVE-2022-22946

HistoryMar 04, 2022 - 4:15 p.m.

CVE-2022-22946

2022-03-0416:15:10

CWE-295

vmware

web.nvd.nist.gov

132

security

cve-2022-22946

spring cloud gateway

http2

trustmanager

remote services

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.7

Confidence

High

EPSS

Percentile

15.6%

JSON

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Affected configurations

Nvd

Node

vmwarespring_cloud_gatewayMatch3.1.0

Node

oraclecommerce_guided_searchMatch11.3.2

oraclecommunications_cloud_native_core_binding_support_functionMatch22.1.3

oraclecommunications_cloud_native_core_consoleMatch22.2.0

oraclecommunications_cloud_native_core_network_repository_functionMatch22.1.2

oraclecommunications_cloud_native_core_network_repository_functionMatch22.2.0

oraclecommunications_cloud_native_core_security_edge_protection_proxyMatch22.1.1

VendorProductVersionCPE
vmwarespring_cloud_gateway3.1.0cpe:2.3:a:vmware:spring_cloud_gateway:3.1.0:*:*:*:*:*:*:*
oraclecommerce_guided_search11.3.2cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_binding_support_function22.1.3cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_console22.2.0cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_repository_function22.1.2cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_network_repository_function22.2.0cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_security_edge_protection_proxy22.1.1cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	spring_cloud_gateway	3.1.0	cpe:2.3:a:vmware:spring_cloud_gateway:3.1.0:::::::*
oracle	commerce_guided_search	11.3.2	cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
oracle	communications_cloud_native_core_binding_support_function	22.1.3	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
oracle	communications_cloud_native_core_console	22.2.0	cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:::::::*
oracle	communications_cloud_native_core_network_repository_function	22.1.2	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
oracle	communications_cloud_native_core_network_repository_function	22.2.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
oracle	communications_cloud_native_core_security_edge_protection_proxy	22.1.1	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:::::::*

CNA Affected

[
  {
    "product": "Spring Cloud Gateway",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Spring cloud gateway versions 3.1.x prior to 3.1.1+"
      }
    ]
  }
]

References

tanzu.vmware.com/security/cve-2022-22946

www.oracle.com/security-alerts/cpujul2022.html

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.7

Confidence

High

EPSS

Percentile

15.6%

JSON

Related for CVE-2022-22946