CVE-2022-22976

Опубликовано: 17 мая 2022

Источник: redhat

CVSS3: 5.3

EPSS Низкий

Описание

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.

Затронутые пакеты

Платформа	Пакет	Состояние
A-MQ Clients 2	springframework	Not affected
Red Hat build of Quarkus	springframework	Not affected
Red Hat Data Grid 8	springframework	Not affected
Red Hat Decision Manager 7	springframework	Fix deferred
Red Hat Integration Camel K 1	springframework	Not affected
Red Hat Integration Camel Quarkus 1	springframework	Not affected
Red Hat Integration Data Virtualisation Operator	springframework	Out of support scope
Red Hat JBoss BRMS 5	springframework	Out of support scope
Red Hat JBoss Data Grid 7	springframework	Out of support scope
Red Hat JBoss Data Virtualization 6	springframework	Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-190

https://bugzilla.redhat.com/show_bug.cgi?id=2087214springframework: BCrypt skips salt rounds for work factor of 31

EPSS

Процентиль: 58%

0.0036

Низкий

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2022-22976

CVSS3: 5.3

ubuntu

больше 3 лет назад

CVE-2022-22976

CVSS3: 5.3

nvd

больше 3 лет назад

CVE-2022-22976

CVSS3: 5.3

debian

больше 3 лет назад

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, a ...

GHSA-wx54-3278-m5g4

CVSS3: 5.3

github

больше 3 лет назад

Integer overflow in BCrypt class in Spring Security

EPSS

Процентиль: 58%

0.0036

Низкий

5.3 Medium

CVSS3