CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager

Severity

Medium

Vendor

Spring by VMware

Description

Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

Spring Cloud Gateway
- 3.1.0

Mitigation

Users of affected versions should apply the following mitigation. 3.1.x users should upgrade to 3.1.1+. No other steps are necessary. Releases that have fixed this issue include:

Spring Cloud Gateway
- 3.1.1+

Credit

This vulnerability was discovered and responsibly reported by Benjamin Bargeton from BNP Paribas.

References

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

History

2022-03-01: Initial vulnerability report published.

Pourquoi Tanzu

Produits

Consulting

Démarrer

Ressources