CVE-2022-22946

CWE-295 — Improper Certificate Validation7 documents4 sources

Severity

5.5MEDIUM

EPSS

0.7%

top 27.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Commerce Guided Search Oracle Communications Cloud Native Core Binding Support Function Oracle Communications Cloud Native Core Console +3 more

Timeline

PublishedMar 4

Latest updateOct 15

Description

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶CVEListV5spring_cloud_gatewaySpring cloud gateway versions 3.1.x prior to 3.1.1+

▶NVDvmware/spring_cloud_gateway3.1.0

▶NVDoracle/communications_cloud_native_core_console22.2.0

▶NVDoracle/communications_cloud_native_core_binding_support_function22.1.3

▶NVDoracle/communications_cloud_native_core_network_repository_function22.1.2, 22.2.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-28g5-j6gh-p2vw: In spring cloud gateway versions prior to 3↗2022-03-05

▶

CVEList

CVE-2022-22946: In spring cloud gateway versions prior to 3↗2022-03-04

▶

📋Vendor Advisories

Oracle

Oracle Oracle Essbase Risk Matrix: Build (cURL) — CVE-2021-22946↗2022-10-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Framework, Experience Manager (cURL) — CVE-2021-22946↗2022-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: CNC BSF (cURL) — CVE-2021-22946↗2022-04-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Server: Compiling (cURL) — CVE-2021-22946↗2022-01-15

▶