The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2022-4492 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2153260 | Issue Tracking Vendor Advisory |
https://security.netapp.com/advisory/ntap-20230324-0002/ |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2023-02-23 20:15
Updated : 2024-02-28 19:51
NVD link : CVE-2022-4492
Mitre link : CVE-2022-4492
CVE.ORG link : CVE-2022-4492
JSON object : View
Products Affected
redhat
- migration_toolkit_for_applications
- integration_camel_for_spring_boot
- integration_camel_k
- undertow
- jboss_enterprise_application_platform
- integration_service_registry
- build_of_quarkus
- migration_toolkit_for_runtimes
- jboss_fuse
- single_sign-on
CWE