Cyber Resilience

CVE-2022-22946

Medium

Published: 04 March 2022

Published
04 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0073 73.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22946 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Oracle Communications Cloud Native Core Network Repository Function. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect…

more

to remote services with invalid or custom certificates.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring cloud gateway
3.1.0
oracle
commerce guided search
11.3.2
oracle
communications cloud native core binding support function
22.1.3
oracle
communications cloud native core console
22.2.0
oracle
communications cloud native core network repository function
22.1.2, 22.2.0
oracle
communications cloud native core security edge protection proxy
22.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References