Vulnerability DatabaseCVE-2022-4492
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-4492
February 23, 2023
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Related ResourcesĀ (12)
https://security.netapp.com/advisory/ntap-20230324-0002
https://github.com/undertow-io/undertow/pull/1457
https://security.netapp.com/advisory/ntap-20230324-0002/
https://nvd.nist.gov/vuln/detail/CVE-2022-4492
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
https://issues.redhat.com/browse/UNDERTOW-2212
https://access.redhat.com/security/cve/CVE-2022-4492
https://issues.redhat.com/browse/MTA-93
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
https://github.com/undertow-io/undertow/pull/1447
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918
EPSS
Base Score:
0.1