CVE-2022-4492

2023-02-2320:15:12

[email protected]

web.nvd.nist.gov

undertow

server certificate

https protocol

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

39.4%

JSON

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Affected configurations

Nvd

Node

redhatbuild_of_quarkusMatch-

redhatintegration_camel_for_spring_bootMatch-

redhatintegration_camel_kMatch-

redhatintegration_service_registryMatch-

redhatjboss_enterprise_application_platformMatch7.0.0

redhatjboss_fuseMatch7.0.0

redhatmigration_toolkit_for_applicationsMatch6.0

redhatmigration_toolkit_for_runtimesMatch-

redhatsingle_sign-onMatch7.0

redhatundertowMatch2.7.0

VendorProductVersionCPE
redhatbuild_of_quarkus-cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
redhatintegration_camel_for_spring_boot-cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*
redhatintegration_camel_k-cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
redhatintegration_service_registry-cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
redhatjboss_fuse7.0.0cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
redhatmigration_toolkit_for_applications6.0cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*
redhatmigration_toolkit_for_runtimes-cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*
redhatsingle_sign-on7.0cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
redhatundertow2.7.0cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	build_of_quarkus	-	cpe:2.3:a:redhat:build_of_quarkus:-:::::::*
redhat	integration_camel_for_spring_boot	-	cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:::::::*
redhat	integration_camel_k	-	cpe:2.3:a:redhat:integration_camel_k:-:::::::*
redhat	integration_service_registry	-	cpe:2.3:a:redhat:integration_service_registry:-:::::::*
redhat	jboss_enterprise_application_platform	7.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
redhat	jboss_fuse	7.0.0	cpe:2.3:a:redhat:jboss_fuse:7.0.0:::::::*
redhat	migration_toolkit_for_applications	6.0	cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:::::::*
redhat	migration_toolkit_for_runtimes	-	cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:::::::*
redhat	single_sign-on	7.0	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*
redhat	undertow	2.7.0	cpe:2.3:a:redhat:undertow:2.7.0:::::::*