Why is CVE-2022-22970 identified with Severity 'High' in Prisma Cloud Compute?

• Prisma Cloud Compute

• If you do a CVE search, or a manual download of the Intel Stream, entry for CVE-2022-22970 shows as high, for the jar file (meaning, this is not an OS package):

❯ jq 'select(.cve == "CVE-2022-22970" and type == "jar")' cve.json
{
"cve": "CVE-2022-22970",
"distro": "",
"distro_release": "",
"type": "jar",
"package": "org.springframework_spring-core",
"severity": "high",
"status": "fixed in 5.3.20, 5.2.22.RELEASE",
"cvss": 7,
"rules": null,
"conditions": [
[
">=5.3.0",
"<5.3.20"
],
[
"<=5.2.21.RELEASE"
]
],
"modified": 1656236927,
"fixDate": 1652400028,
"link_id": "GHSA-hh26-6xwr-ggv7"
}

• For OS packages (packages that are maintained by the OS vendor, marked as type “package” in Compute), the CVE details are from the specific vendor feed : Prisma Cloud vulnerability feed
• Meanwhile, for other CVEs, the information is from official sources like NVD and vendor-specific security advisories.
• However, Github is now a CNA i.e. it can now assign CVE numbers and publish vulnerability records : https://github.com/opensearch-project/data-prepper/issues/1390
• This is for the base jar file that one might download using Maven.
• Red Hat (vendor-specific security advisory) has nothing to do with the jar file so its updates and security apparatus don't apply here.
• Though information regarding all CVEs will eventually flow into NVD, it may not be the best source for detailed information on remediation steps for specific variants of a CVE (eg. CVE-2022-22970).
• Further, Investigations start, but may not end, at NVD, and branch out via the links that they publish to other vendors and orgs.
• Considering all the above coupled with our researchers' understanding, the Severity of CVE-2022-22970 was maintained as High.

• As seen below, this package has 2 different “sources”:

• As for the distros, the information about the CVE is taken from their feed.
• As for the Jar package (Maven), the information about the CVE is taken from GHSA (GitHub Advisory).
• According to the GitHub Advisory, the severity of this CVE (Jar package) is High : https://github.com/advisories/GHSA-hh26-6xwr-ggv7
• The distros have their own setup and are not always affected by some CVE or the impact can be lower\higher because of the setup or because they implement only part of the package functionality.
• CVE-2022-22970 severity is Medium for the distro package.
• CVE-2022-22970 severity is High for the Jar (Maven) package.
• Hence the Severity set on Prisma Cloud is High and this information is correct.