CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
39.4%
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | build_of_quarkus | - | cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:* |
redhat | integration_camel_for_spring_boot | - | cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:* |
redhat | integration_camel_k | - | cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:* |
redhat | integration_service_registry | - | cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:* |
redhat | jboss_enterprise_application_platform | 7.0.0 | cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:* |
redhat | jboss_fuse | 7.0.0 | cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:* |
redhat | migration_toolkit_for_applications | 6.0 | cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:* |
redhat | migration_toolkit_for_runtimes | - | cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:* |
redhat | single_sign-on | 7.0 | cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:* |
redhat | undertow | 2.7.0 | cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
39.4%