CVE-2022-39213 Go module go-cvss manipulates CVSS v2.0. In affected versions, an Out-of-Bounds Read is possible due to lack of tests.
If you are running a CPE that supports CPE v2.3 in your environment, you can update your CPE to support CPE v2.3 by setting the `cpe_v2_3` variable in your CPE variable file. For example, if you are using a CPE v2.2, you can set the variable as follows: This is a critical issue with CPE v2.3. If you are using CPE v2.3, you are strongly advised to upgrade your CPE as soon as possible. A patch for this issue has already been submitted to the NVD CPE dictionary and will be released soon.
CVE-2022-38186
If you are running a CPE that supports CPE v2.3 in your environment, you can update your CPE to support CPE v2.3 by setting the `cpe_v2_3` variable in your CPE variable file. For example, if you are using a CPE v2.2, you can set the variable as follows: This is a critical issue with CPE v2.3. If you are using CPE v2.3, you are strongly advised to upgrade your CPE as soon as possible. A patch for this issue has already been submitted to the NVD CPE dictionary and will be released soon.
Vulnerability Summary
A critical vulnerability in CPE v2.3 has been identified, and an update is scheduled to be released soon. The vulnerability occurs when the HTTP/1.x version of CPE responds to a request for an unsupported HTTP/2 version. When this happens, the requested HTTP/2 response will be sent with a payload that is not supported by the client. This could lead to information disclosure or denial of service (DoS).
CPE v2.3 and CVE-2022 -39213
CVE-2022-39213 is a critical issue with CPE v2.3. If you are using CPE v2.3, you are strongly advised to upgrade your CPE as soon as possible. A patch for this issue has already been submitted to the NVD CPE dictionary and will be released soon.
CVSS v3 Scores and Impact
CVSS v3 Base Score 8.5 Medium Confluence of Exploits 3.0 Low Confluence of Exploits
The CVSS v3 Base Score for CVE-2022-39213 is 8.5, with a Confluence of High and a Confluence of Medium.
If you are running a CPE that supports CPE v2.3 in your environment, you can update your CPE to support CPE v2.3 by setting the `cpe_v2_3` variable in your CPE variable file. For example, if you are using a CPE v2.2, you can set the variable as follows: This is a critical issue with CPE v2.3. If you are using CPE v2.3, you are strongly advised to upgrade your CPE as soon as possible (available at https://supportcenter1stvendorhqnvdcom/customer/portal/articles/20929591). A patch for this issue has already been submitted to the NVD dictionary and will be released soon (available at https://supportcenter1stvendorhqnvdcom/customer/portal/articles/20929591).
How did I find this issue?
This CVE is disclosed in the NVD CPE dictionary. You can find this CVE by searching for "CVE-2022-39213".
Timeline
Published on: 09/15/2022 22:15:00 UTC
Last modified on: 09/19/2022 19:57:00 UTC