How severe is CVE-2022-27225?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2022-27225?

This is classified as CWE-311, which is a common weakness in software security.

CVE-2022-27225 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.

Related Vulnerabilities

CVE-2010-3299

MEDIUM

CVSS:6.5(Medium)

The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.

CWE-3112010

CVE-2017-12716

MEDIUM

CVSS:6.5(Medium)

Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionall...

CWE-3112017

CVE-2017-14953

MEDIUM

CVSS:6.5(Medium)

HikVision Wi-Fi IP cameras, when used in a wired configuration, allow physically proximate attackers to trigger association with an arbitrary access point by leveraging a default SSID with no WiFi enc...

CWE-3112017

CVE-2018-4855

MEDIUM

CVSS:6.5(Medium)

A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission...

CWE-3112018

CVE-2018-5185

MEDIUM

CVSS:6.5(Medium)

Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

CWE-3112018

CVE-2019-1003088

MEDIUM

CVSS:6.5(Medium)

Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the mast...

CWE-3112019