Vulnerability Description
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Cloud Gateway | 3.1.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Console | 22.2.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.2 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
Related Weaknesses (CWE)
References
- https://tanzu.vmware.com/security/cve-2022-22946Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22946Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2022-22946?
CVE-2022-22946 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager....
How severe is CVE-2022-22946?
CVE-2022-22946 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-22946?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Cloud Gateway, Oracle Commerce Guided Search, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Repository Function.