CVE-2022-22976
springframework: BCrypt skips salt rounds for work factor of 31
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
Spring Security versiones 5.5.x anteriores a 5.5.7, 5.6.x anteriores a 5.6.4 y versiones anteriores no soportadas, contienen una vulnerabilidad de desbordamiento de enteros. Cuando es usada la clase BCrypt con el máximo factor de trabajo (31), el codificador no lleva a cabo ninguna ronda salt, debido a un error de desbordamiento de enteros. La configuración por defecto no está afectada por esta CVE
A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-10 CVE Reserved
- 2022-05-19 CVE Published
- 2023-12-10 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20220707-0003 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujul2022.html | 2024-06-13 |
| URL | Date | SRC |
|---|---|---|
| https://tanzu.vmware.com/security/cve-2022-22976 | 2024-06-13 | |
| https://access.redhat.com/security/cve/CVE-2022-22976 | 2023-06-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2087214 | 2023-06-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 5.2.1 < 5.5.7 Search vendor "Vmware" for product "Spring Security" and version " >= 5.2.1 < 5.5.7" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 5.6.0 < 5.6.4 Search vendor "Vmware" for product "Spring Security" and version " >= 5.6.0 < 5.6.4" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | 5.2.0 Search vendor "Vmware" for product "Spring Security" and version "5.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" | 8.0.8.2.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" | 8.0.8.3.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | linux |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||