CVE-2022-22976
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
19/05/2022
Last modified:
13/06/2024
Description
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* | 5.2.1 (including) | 5.5.7 (excluding) |
| cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* | 5.6.0 (including) | 5.6.4 (excluding) |
| cpe:2.3:a:vmware:spring_security:5.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
To consult the complete list of CPE names with products and versions, see this page