CVE-2022-22946
First published: Fri Mar 04 2022(Updated: )
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| VMware Spring Cloud Gateway | =3.1.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Console | =22.2.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =22.1.2 | |
| Oracle Communications Cloud Native Core Network Repository Function | =22.2.0 | |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy | =22.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-22946?
CVE-2022-22946 is a vulnerability in spring cloud gateway versions prior to 3.1.1+ that allows the gateway to connect to remote services with invalid or custom certificates.
How does CVE-2022-22946 impact applications?
CVE-2022-22946 affects applications that are configured to enable HTTP2 without setting a key store or trusted certificates, making them vulnerable to insecure TrustManager.
Which software versions are affected by CVE-2022-22946?
CVE-2022-22946 affects the following software versions: VMware Spring Cloud Gateway 3.1.0, Oracle Commerce Guided Search 11.3.2, Oracle Communications Cloud Native Core Binding Support Function 22.1.3, Oracle Communications Cloud Native Core Console 22.2.0, Oracle Communications Cloud Native Core Network Repository Function 22.1.2 and 22.2.0, VMware Spring Cloud Gateway 22.1.1.
What is the severity of CVE-2022-22946?
CVE-2022-22946 has a severity rating of medium, with a severity value of 5.5.
Where can I find more information about CVE-2022-22946?
You can find more information about CVE-2022-22946 at the following references: [VMware Security Advisory](https://tanzu.vmware.com/security/cve-2022-22946) and [Oracle Security Alerts](https://www.oracle.com/security-alerts/cpujul2022.html).
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- agent/severity
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/vmware
- canonical/vmware spring cloud gateway
- version/vmware spring cloud gateway/3.1.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core console
- version/oracle communications cloud native core console/22.2.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/22.1.2
- version/oracle communications cloud native core network repository function/22.2.0
- canonical/oracle communications cloud native core security edge protection proxy
- version/oracle communications cloud native core security edge protection proxy/22.1.1