The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2153260 | Issue Tracking Vendor Advisory |
https://access.redhat.com/security/cve/CVE-2022-4492 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2023-02-23 12:15
Updated : 2023-03-06 11:14
NVD link : CVE-2022-4492
Mitre link : CVE-2022-4492
JSON object : View
CWE
Products Affected
redhat
- undertow
- jboss_enterprise_application_platform
- build_of_quarkus
- migration_toolkit_for_runtimes
- integration_camel_for_spring_boot
- single_sign-on
- jboss_fuse
- migration_toolkit_for_applications
- integration_camel_k
- integration_service_registry