CVE-2022-43916

Medium

Published: 30 January 2025

Published

30 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0010 27.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43916 is a medium-severity Improper Restriction of Communication Channel to Intended Endpoints (CWE-923) vulnerability in Ibm App Connect Enterprise Certified Container. Its CVSS base score is 6.8 (Medium).

Operationally, ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-4 Information Flow Enforcement good match

prevent

Enforces organization-defined information flow control policies to restrict communications to intended endpoints, directly preventing unauthorized network egress from internal infrastructure pods.

SC-7 Boundary Protection good match

prevent

Monitors and controls communications at external boundaries and key internal interfaces, mitigating unrestricted egress traffic from pods through enforced network segmentation.

CM-7 Least Functionality partial match

prevent

Limits systems to least functionality by configuring internal infrastructure pods to disable or restrict unnecessary outbound network capabilities.

NVD Description

IBM App Connect Enterprise Certified Container 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, and 12.7 Pods do not restrict network egress for Pods…

that are used for internal infrastructure.

Deeper analysisAI

CVE-2022-43916 is a vulnerability in IBM App Connect Enterprise Certified Container versions 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, and 12.7, where Pods used for internal infrastructure do not restrict network egress. This issue is classified under CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) and carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited by a low-privileged user (PR:L) over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation enables high impacts on confidentiality and integrity (C:H/I:H) with no availability disruption (A:N), maintaining an unchanged security scope (S:U).

IBM provides mitigation guidance in its security advisory at https://www.ibm.com/support/pages/node/7181916.