CVE-2022-22976

CVE Database · CVE-2022-22976

CVE-2022-22976

· MEDIUMModified

CVSS v3.1

5.3

EPSS

2.14%

Published

May 19, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-190CWE-190

Affected Products (8)

vmware · spring_security (up to 5.5.7)vulnerable

vmware · spring_security (up to 5.6.4)vulnerable

vmware · spring_securityvulnerable

oracle · financial_services_crime_and_compliance_management_studiovulnerable

netapp · active_iq_unified_managervulnerable

References (6)

https://security.netapp.com/advisory/ntap-20220707-0003/