Main Vulnerability Database Vulnerabilities #VU63342

Integer overflow in Spring Security - CVE-2022-22976

Published: May 17, 2022 / Updated: May 17, 2022

Vulnerability identifier: #VU63342

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2022-22976

CWE-ID: CWE-190

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: VMware, Inc

Affected software:
Spring Security

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in BCrypt class with the maximum work factor (31) for BCryptPasswordEncoder. The encoder does not perform any salt rounds, which weakens encryption capabilities of the software.

How to mitigate CVE-2022-22976

Install updates from vendor's website.

Sources

https://tanzu.vmware.com/security/cve-2022-22976

Integer overflow in Spring Security - CVE-2022-22976

Detailed vulnerability description

How to mitigate CVE-2022-22976

Sources

Please verify you're human