CVE-2022-48308 MEDIUM

CVE-2022-48308

Vendor Palantir

Product sls-logging

Weakness CWE-297

Published February 16, 2023

Last update March 18, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service.

Key dates

02Disclosure timeline

February 16, 2023 CVE published

March 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-48308 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/297.html

Related vulnerabilities

CVE-2022-48308

01Description

02Disclosure timeline

03References

04Related CVE