How severe is CVE-2022-27890?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.4 out of 10.

What type of vulnerability is CVE-2022-27890?

This is classified as CWE-297, which is a common weakness in software security.

CVE-2022-27890 - HIGH Severity | CVSS 7.4

Vulnerability Description

It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. In the case of AtlasDB, the vulnerability was mitigated by other network controls such as two-way TLS when deployed as part of a Palantir platform. Palantir still recommends upgrading to a non-vulnerable version out of an abundance of caution.

Related Vulnerabilities

CVE-2017-2912

HIGH

CVSS:7.4(High)

An exploitable vulnerability exists in the remote control functionality of Circle with Disney running firmware 2.0.1. SSL certificates for specific domain names can cause the goclient daemon to accept...

CWE-2972017

CVE-2020-14387

HIGH

CVSS:7.4(High)

A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing ...

CWE-2972020

CVE-2024-37015

HIGH

CVSS:7.4(High)

An issue was discovered in Ada Web Server 20.0. When configured to use SSL (which is not the default setting), the SSL/TLS used to establish connections to external services is done without proper hos...

CWE-2972024

CVE-2023-5909

HIGH

CVSS:7.5(High)

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

CWE-2972023

CVE-2024-34447

HIGH

CVSS:7.5(High)

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happ...

CWE-2972024

CVE-2020-15260

MEDIUM

CVSS:6.8(Medium)

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJ...

CWE-2972020