Vulnerability Description
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | >= 5.2.1, < 5.5.7 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
- https://security.netapp.com/advisory/ntap-20220707-0003/Third Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22976MitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220707-0003/Third Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22976MitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2022-22976?
CVE-2022-22976 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work facto...
How severe is CVE-2022-22976?
CVE-2022-22976 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-22976?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security, Oracle Financial Services Crime And Compliance Management Studio, Netapp Active Iq Unified Manager.