Vulnerability Details CVE-2022-4492
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.5%
CVSS Severity
CVSS v3 Score 7.5
References
- https://access.redhat.com/security/cve/CVE-2022-4492
- https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- https://security.netapp.com/advisory/ntap-20230324-0002/
- https://access.redhat.com/security/cve/CVE-2022-4492
- https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- https://security.netapp.com/advisory/ntap-20230324-0002/
Products affected by CVE-2022-4492
-
cpe:2.3:a:redhat:build_of_quarkus:-
-
cpe:2.3:a:redhat:integration_camel_for_spring_boot:-
-
cpe:2.3:a:redhat:integration_camel_k:-
-
cpe:2.3:a:redhat:integration_service_registry:-
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0
-
cpe:2.3:a:redhat:jboss_fuse:7.0.0
-
cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0
-
cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-
-
cpe:2.3:a:redhat:single_sign-on:7.0
-
cpe:2.3:a:redhat:undertow:2.7.0