Lucene search

RedhatCVE-2022-4492

HistoryFeb 23, 2023 - 8:15 p.m.

CVE-2022-4492

2023-02-2320:15:12

redhat

web.nvd.nist.gov

undertow

client

https

tls

security

vulnerability

cve-2022-4492

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

39.4%

JSON

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Affected configurations

Nvd

Vulners

Node

redhatbuild_of_quarkusMatch-

redhatintegration_camel_for_spring_bootMatch-

redhatintegration_camel_kMatch-

redhatintegration_service_registryMatch-

redhatjboss_enterprise_application_platformMatch7.0.0

redhatjboss_fuseMatch7.0.0

redhatmigration_toolkit_for_applicationsMatch6.0

redhatmigration_toolkit_for_runtimesMatch-

redhatsingle_sign-onMatch7.0

redhatundertowMatch2.7.0

VendorProductVersionCPE
redhatbuild_of_quarkus-cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
redhatintegration_camel_for_spring_boot-cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*
redhatintegration_camel_k-cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
redhatintegration_service_registry-cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
redhatjboss_fuse7.0.0cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
redhatmigration_toolkit_for_applications6.0cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*
redhatmigration_toolkit_for_runtimes-cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*
redhatsingle_sign-on7.0cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
redhatundertow2.7.0cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	build_of_quarkus	-	cpe:2.3:a:redhat:build_of_quarkus:-:::::::*
redhat	integration_camel_for_spring_boot	-	cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:::::::*
redhat	integration_camel_k	-	cpe:2.3:a:redhat:integration_camel_k:-:::::::*
redhat	integration_service_registry	-	cpe:2.3:a:redhat:integration_service_registry:-:::::::*
redhat	jboss_enterprise_application_platform	7.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
redhat	jboss_fuse	7.0.0	cpe:2.3:a:redhat:jboss_fuse:7.0.0:::::::*
redhat	migration_toolkit_for_applications	6.0	cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:::::::*
redhat	migration_toolkit_for_runtimes	-	cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:::::::*
redhat	single_sign-on	7.0	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*
redhat	undertow	2.7.0	cpe:2.3:a:redhat:undertow:2.7.0:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "undertow",
    "versions": [
      {
        "version": "2.7",
        "status": "affected"
      }
    ]
  }
]