UBUNTU-CVE-2022-22976

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2022-22976

Published: 19 May 2022, 15:15

Last modified:20 May 2026, 16:07

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

3.1 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 May 2022, 15:15

Published

Vulnerability first disclosed

20 May 2026, 16:07

Last Modified

Vulnerability information updated

Description

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Systems

ubuntu•libspring-java
all | all | all

References (3)

https://ubuntu.com/security/CVE-2022-22976
https://tanzu.vmware.com/security/cve-2022-22976
https://www.cve.org/CVERecord?id=CVE-2022-22976