CVE-2022-22946

moderate-risk

Published 2022-03-04

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Do I need to act?

0.73% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (7)

Spring Cloud Gateway

Commerce Guided Search

Communications Cloud Native Core Binding Support Function

Communications Cloud Native Core Console

Communications Cloud Native Core Network Repository Function

Communications Cloud Native Core Security Edge Protection Proxy

Affected Vendors

Oracle Vmware

References (4)

Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22946

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22946

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 14/34 · Moderate