Integer Overflow Vulnerability in Spring Security by VMware
CVE-2022-22976

5.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 19 May 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-22976?

The integer overflow vulnerability in Spring Security affects specified versions where the BCrypt class does not perform necessary salt rounds when configured with the maximum work factor. This flaw occurs due to an inadequately handled integer overflow, leading to potential security issues for applications that rely on password encoding. Users should update their Spring Security versions to the latest releases to mitigate risks.

Affected Version(s)

Spring Security Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2022-22976-bcrypt-skips-salt
Created by spring-io

References

https://tanzu.vmware.com/security/cve-2022-22976

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220707-0003/

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2022
🟡
Public PoC available
May 10, 2022
👾
Exploit known to exist
May 10, 2022
Vulnerability Reserved
Jan 10, 2022

Vmware

Badges

What is CVE-2022-22976?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline