CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
39.4%
io.undertow:undertow-core is vulnerable to Improper Certificate Validation. The vulnerability is due to missing certificate validation in the Http2ClientProvider
class to check if the identity is presented by the server certificate in HTTPS connections. If the ENDPOINT_IDENTIFICATION_ALGORITHM
is not set, it allows connections without verifying the server’s identity which results in a certificate bypass.