Description

In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

Remediation

References

CVE-2022-22946

Related Vulnerabilities

WordPress Plugin Simple File List Arbitrary File Download (3.2.7)

WordPress Plugin Integration for Gravity Forms and Pipedrive Cross-Site Scripting (1.0.6)

Ruby Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2011-3624)

phpMyAdmin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-1879)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-6261)

Severity

Medium

Classification

CVE-2022-22946 CWE-295 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities