[email protected]CVE-2022-22971

HistoryMay 12, 2022 - 8:15 p.m.

CVE-2022-22971

2022-05-1220:15:00

CWE-770

[email protected]

web.nvd.nist.gov

1023

cve-2022-22971

spring framework

websocket

stomp

denial of service

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

78.8%

JSON

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

CPENameOperatorVersion
vmware:spring_frameworkvmware spring frameworkle5.2.21
vmware:spring_frameworkvmware spring frameworkle5.3.19
oracle:financial_services_crime_and_compliance_management_studiooracle financial services crime and compliance management studioeq8.0.8.2.0
oracle:financial_services_crime_and_compliance_management_studiooracle financial services crime and compliance management studioeq8.0.8.3.0
netapp:oncommand_insightnetapp oncommand insighteq-
netapp:cloud_secure_agentnetapp cloud secure agenteq-

CPE	Name	Operator	Version
vmware:spring_framework	vmware spring framework	le	5.2.21
vmware:spring_framework	vmware spring framework	le	5.3.19
oracle:financial_services_crime_and_compliance_management_studio	oracle financial services crime and compliance management studio	eq	8.0.8.2.0
oracle:financial_services_crime_and_compliance_management_studio	oracle financial services crime and compliance management studio	eq	8.0.8.3.0
netapp:oncommand_insight	netapp oncommand insight	eq	-
netapp:cloud_secure_agent	netapp cloud secure agent	eq	-