Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-22976

Good to know:

icon
icon

Date: May 19, 2022

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

Language: Java

Severity Score

Related Resources (9)

https://tanzu.vmware.com/security/cve-2022-22976
https://security.netapp.com/advisory/ntap-20220707-0003/
https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f
https://nvd.nist.gov/vuln/detail/CVE-2022-22976
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12
https://github.com/spring-projects/spring-security
https://security.netapp.com/advisory/ntap-20220707-0003
https://www.mend.io/vulnerability-database/CVE-2022-22976

Severity Score

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Top Fix

icon

Upgrade Version

Upgrade to version org.springframework.security:spring-security-crypto:5.5.7,5.6.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us