CVE-2022-22971

moderate-risk

Published 2022-05-12

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (5)

Spring Framework

Financial Services Crime And Compliance Management Studio

Cloud Secure Agent

Oncommand Insight

Affected Vendors

Oracle Vmware Netapp

References (6)

Third Party Advisory https://security.netapp.com/advisory/ntap-20220616-0003/

Mitigation https://tanzu.vmware.com/security/cve-2022-22971

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220616-0003/

Mitigation https://tanzu.vmware.com/security/cve-2022-22971

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 12/34 · Low