7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
34.7%
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
access.redhat.com/security/cve/CVE-2022-4492
bugzilla.redhat.com/show_bug.cgi?id=2153260
github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
github.com/undertow-io/undertow/pull/1447
github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
github.com/undertow-io/undertow/pull/1457
github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
issues.redhat.com/browse/MTA-93
issues.redhat.com/browse/UNDERTOW-2212
nvd.nist.gov/vuln/detail/CVE-2022-4492
security.netapp.com/advisory/ntap-20230324-0002