In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.
References
Link | Resource |
---|---|
https://tanzu.vmware.com/security/cve-2022-22946 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
22 Feb 2023, 17:46
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle communications Cloud Native Core Security Edge Protection Proxy
Oracle communications Cloud Native Core Binding Support Function Oracle communications Cloud Native Core Console Oracle Oracle commerce Guided Search Oracle communications Cloud Native Core Network Repository Function |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://tanzu.vmware.com/security/cve-2022-22946 - Vendor Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
25 Jul 2022, 18:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Mar 2022, 16:19
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 2.1
v3 : 5.5 |
First Time |
Vmware spring Cloud Gateway
Vmware |
|
CPE | cpe:2.3:a:vmware:spring_cloud_gateway:3.1.0:*:*:*:*:*:*:* | |
References | (MISC) https://tanzu.vmware.com/security/cve-2022-22946 - Third Party Advisory | |
CWE | CWE-295 |
04 Mar 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-03-04 16:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-22946
Mitre link : CVE-2022-22946
CVE.ORG link : CVE-2022-22946
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_security_edge_protection_proxy
- commerce_guided_search
- communications_cloud_native_core_console
- communications_cloud_native_core_network_repository_function
- communications_cloud_native_core_binding_support_function
vmware
- spring_cloud_gateway
CWE
CWE-295
Improper Certificate Validation