CVE-2022-22976

CWE-190 — Integer Overflow6 documents5 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 41.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Security Oracle Financial Services Crime AND Compliance Management Studio

Timeline

PublishedMay 19

Latest updateMay 20

Description

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.springframework.security:spring-security-core5.2.0.RELEASE — 5.5.7+1

▶NVDvmware/spring_security5.2.1 — 5.5.7+2

▶CVEListV5spring_securitySpring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Integer overflow in BCrypt class in Spring Security↗2022-05-20

▶

OSV

Integer overflow in BCrypt class in Spring Security↗2022-05-20

▶

CVEList

CVE-2022-22976: Spring Security versions 5↗2022-05-19

▶

OSV

CVE-2022-22976: Spring Security versions 5↗2022-05-19

▶

📋Vendor Advisories

Red Hat

springframework: BCrypt skips salt rounds for work factor of 31↗2022-05-17

▶