CVE-2022-22946

MEDIUM

Spring Cloud Gateway - Improper Certificate Validation

Title source: llm
STIX 2.1

Description

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://tanzu.vmware.com/security/cve-2022-22946
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.5
EPSS 0.0073
EPSS Percentile 72.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-295
Status published
Products (7)
oracle/commerce_guided_search 11.3.2
oracle/communications_cloud_native_core_binding_support_function 22.1.3
oracle/communications_cloud_native_core_console 22.2.0
oracle/communications_cloud_native_core_network_repository_function 22.1.2
oracle/communications_cloud_native_core_network_repository_function 22.2.0
oracle/communications_cloud_native_core_security_edge_protection_proxy 22.1.1
vmware/spring_cloud_gateway 3.1.0
Published Mar 04, 2022
Tracked Since Feb 18, 2026