Wiz
Vulnerability DatabaseCVE-2022-22946

CVE-2022-22946
Oracle Communications CNC BSF vulnerability analysis and mitigation

Overview

CVE-2022-22946 affects Spring Cloud Gateway versions prior to 3.1.1+. The vulnerability was discovered and reported on March 1, 2022, by Benjamin Bargeton from BNP Paribas. Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager (Spring Security, NVD).

Technical details

The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified as CWE-295 (Improper Certificate Validation). When HTTP2 is enabled without proper key store or trusted certificates configuration, the gateway uses an insecure TrustManager, which compromises the security of connections to remote services (NVD).

Impact

The vulnerability makes the gateway able to connect to remote services with invalid or custom certificates, potentially compromising the security of communications between services. This could lead to man-in-the-middle attacks or unauthorized access to sensitive information (Spring Security).

Mitigation and workarounds

Users of affected versions should upgrade to Spring Cloud Gateway version 3.1.1+ to address this vulnerability. No other steps are necessary after the upgrade. The fix has been implemented in all releases from version 3.1.1 and onwards (Spring Security).

Additional resources

SourceThis report was generated using AI

Related Oracle Communications CNC BSF vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2022-22965CRITICAL9.8
  • Oracle WebLogic ServerOracle WebLogic Server
  • cpe:2.3:a:oracle:weblogic_server
YesYesApr 01, 2022
CVE-2021-4203MEDIUM6.8
  • Linux KernelLinux Kernel
  • linux-gcp-5.11
NoYesMar 25, 2022
CVE-2022-0322MEDIUM5.5
  • Linux KernelLinux Kernel
  • linux-oem-5.13
NoYesMar 25, 2022
CVE-2023-21971MEDIUM5.3
  • JavaJava
  • cpe:2.3:a:oracle:mysql_connectors
NoYesApr 18, 2023
CVE-2023-21824MEDIUM4.4
  • Oracle Communications CNC PolicyOracle Communications CNC Policy
  • cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function
NoYesJan 18, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo