Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zzwy-h4sw-4qdk
Vulnerability ID VCID-zzwy-h4sw-4qdk
Aliases CVE-2022-22978
GHSA-hh32-7344-cg2f
Summary
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-625 Permissive Regular Expression
CWE-285 Improper Authorization
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22978.json
epss 0.90224 https://api.first.org/data/v1/epss?cve=CVE-2022-22978
epss 0.90224 https://api.first.org/data/v1/epss?cve=CVE-2022-22978
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-hh32-7344-cg2f
cvssv3.1 9.8 https://github.com/anchore/grype/issues/2158
generic_textual CRITICAL https://github.com/anchore/grype/issues/2158
cvssv3.1 9.8 https://github.com/spring-projects/spring-security
generic_textual CRITICAL https://github.com/spring-projects/spring-security
cvssv3.1 9.8 https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
generic_textual CRITICAL https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-22978
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2022-22978
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20220707-0003
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20220707-0003
cvssv3.1 9.8 https://spring.io/security/cve-2022-22978
generic_textual CRITICAL https://spring.io/security/cve-2022-22978
cvssv3.1 9.8 https://tanzu.vmware.com/security/cve-2022-22978
generic_textual CRITICAL https://tanzu.vmware.com/security/cve-2022-22978
cvssv3.1 9.8 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual CRITICAL https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22978.json
https://api.first.org/data/v1/epss?cve=CVE-2022-22978
https://github.com/anchore/grype/issues/2158
https://github.com/spring-projects/spring-security
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
https://nvd.nist.gov/vuln/detail/CVE-2022-22978
https://security.netapp.com/advisory/ntap-20220707-0003
https://spring.io/security/cve-2022-22978
https://tanzu.vmware.com/security/cve-2022-22978
2087606 https://bugzilla.redhat.com/show_bug.cgi?id=2087606
GHSA-hh32-7344-cg2f https://github.com/advisories/GHSA-hh32-7344-cg2f
RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22978.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/anchore/grype/issues/2158
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-22978
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20220707-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://spring.io/security/cve-2022-22978
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://tanzu.vmware.com/security/cve-2022-22978
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99612
EPSS Score 0.90224
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-12T02:05:57.221862+00:00 EPSS Importer Import https://epss.cyentia.com/epss_scores-current.csv.gz 38.6.0