7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
34.0%
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
CPE | Name | Operator | Version |
---|---|---|---|
io.undertow:undertow-core | lt | 2.2.24.Final | |
io.undertow:undertow-core | lt | 2.3.5.Final |
access.redhat.com/security/cve/CVE-2022-4492
bugzilla.redhat.com/show_bug.cgi?id=2153260
github.com/advisories/GHSA-pfcc-3g6r-8rg8
github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
github.com/undertow-io/undertow/pull/1447
github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
github.com/undertow-io/undertow/pull/1457
github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
issues.redhat.com/browse/MTA-93
issues.redhat.com/browse/UNDERTOW-2212
nvd.nist.gov/vuln/detail/CVE-2022-4492
security.netapp.com/advisory/ntap-20230324-0002/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
34.0%