// For flags

CVE-2022-22946

 

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

En spring cloud gateway versiones anteriores a 3.1.1+ , las aplicaciones que son configuradas para habilitar HTTP2 y no es establecido un almacén de claves o certificados confiables son configurados para usar un TrustManager no seguro. Esto hace que la pasarela pueda conectarse a servicios remotos con certificados no válidos o personalizados

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-10 CVE Reserved
  • 2022-03-04 CVE Published
  • 2023-09-25 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vmware
Search vendor "Vmware"
Spring Cloud Gateway
Search vendor "Vmware" for product "Spring Cloud Gateway"
3.1.0
Search vendor "Vmware" for product "Spring Cloud Gateway" and version "3.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Commerce Guided Search
Search vendor "Oracle" for product "Commerce Guided Search"
11.3.2
Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Binding Support Function
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"
22.1.3
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "22.1.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Console
Search vendor "Oracle" for product "Communications Cloud Native Core Console"
22.2.0
Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "22.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Network Repository Function
Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"
22.1.2
Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.1.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Network Repository Function
Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"
22.2.0
Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Security Edge Protection Proxy
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"
22.1.1
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "22.1.1"
-
Affected