Description

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Related CPE's

a

vmware

spring_cloud_gateway

3.1.0

Vulnerable

a

oracle

commerce_guided_search

11.3.2

Vulnerable

a

oracle

communications_cloud_native_core_binding_support_function

22.1.3

Vulnerable

a

oracle

communications_cloud_native_core_console

22.2.0

Vulnerable

a

oracle

communications_cloud_native_core_network_repository_function

2

a

oracle

communications_cloud_native_core_security_edge_protection_proxy

22.1.1

Vulnerable

References

https://tanzu.vmware.com/security/cve-2022-22946

Vendor Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-295

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

5.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-04T16:15:10.377

3 years ago

Last modified

2023-02-22T17:46:02.053

2 years ago