Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-4492

Good to know:

icon
icon

Date: February 22, 2023

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Language: Java

Severity Score

Related Resources (13)

https://issues.redhat.com/browse/UNDERTOW-2212
https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
https://issues.redhat.com/browse/MTA-93
https://security.netapp.com/advisory/ntap-20230324-0002/
https://security.netapp.com/advisory/ntap-20230324-0002
https://nvd.nist.gov/vuln/detail/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-4492
https://github.com/undertow-io/undertow/pull/1457
https://github.com/undertow-io/undertow/pull/1447
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
https://www.mend.io/vulnerability-database/CVE-2022-4492

Severity Score

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version io.undertow:undertow-core:2.3.5.Final;io.undertow:undertow-core:2.2.24.Final

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us