Vulnerability DatabaseCVE-2022-22976
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-22976
May 19, 2022
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
Affected Packages
https://github.com/spring-projects/spring-security.git (GITHUB):
Affected version(s) >=5.6.0 <5.6.4
Fix Suggestion:
Update to version 5.6.4
https://github.com/spring-projects/spring-security.git (GITHUB):
Affected version(s) >=1.0.0 <5.5.7
Fix Suggestion:
Update to version 5.5.7
org.springframework.security:spring-security-crypto (JAVA):
Affected version(s) >=5.6.0 <5.6.4
Fix Suggestion:
Update to version 5.6.4
org.springframework.security:spring-security-crypto (JAVA):
Affected version(s) >=3.1.0.RC1 <5.5.7
Fix Suggestion:
Update to version 5.5.7
org.springframework.security:spring-security-crypto (JAVA):
Affected version(s) >=4.2.0.RELEASE <4.2.20-spring-security-4.2.21
Fix Suggestion:
Update to version 4.2.20-spring-security-4.2.21
org.springframework.security:spring-security-core (JAVA):
Affected version(s) >=5.6.0 <5.6.4
Fix Suggestion:
Update to version 5.6.4
org.springframework.security:spring-security-core (JAVA):
Affected version(s) >=5.2.0.RELEASE <5.5.7
Fix Suggestion:
Update to version 5.5.7
Related ResourcesĀ (8)
https://github.com/spring-projects/spring-security
https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f
https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12
https://security.netapp.com/advisory/ntap-20220707-0003
https://security.netapp.com/advisory/ntap-20220707-0003/
https://www.oracle.com/security-alerts/cpujul2022.html
https://nvd.nist.gov/vuln/detail/CVE-2022-22976
https://tanzu.vmware.com/security/cve-2022-22976
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Integer Overflow or Wraparound
CWE-190
EPSS
Base Score:
0.36