CVE-2022-22946

CVE Database · CVE-2022-22946

CVE-2022-22946

· MEDIUMModified

CVSS v3.1

5.5

EPSS

4.73%

Published

Mar 4, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Weaknesses (CWE)

CWE-295

Affected Products (7)

vmware · spring_cloud_gatewayvulnerable

oracle · commerce_guided_searchvulnerable

oracle · communications_cloud_native_core_binding_support_functionvulnerable

oracle · communications_cloud_native_core_consolevulnerable

oracle · communications_cloud_native_core_network_repository_functionvulnerable

oracle · communications_cloud_native_core_security_edge_protection_proxyvulnerable

References (4)