Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZmNjLTNnNnItOHJnOM4AAxyW
Undertow client not checking server identity presented by server certificate in https connections
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
Permalink: https://github.com/advisories/GHSA-pfcc-3g6r-8rg8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZmNjLTNnNnItOHJnOM4AAxyW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pfcc-3g6r-8rg8, CVE-2022-4492
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4492
- https://access.redhat.com/security/cve/CVE-2022-4492
- https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
- https://issues.redhat.com/browse/MTA-93
- https://security.netapp.com/advisory/ntap-20230324-0002/
- https://github.com/undertow-io/undertow/pull/1447
- https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
- https://github.com/undertow-io/undertow/pull/1457
- https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
- https://issues.redhat.com/browse/UNDERTOW-2212
- https://github.com/advisories/GHSA-pfcc-3g6r-8rg8
Blast Radius: 36.5
Affected Packages
maven:io.undertow:undertow-core
Dependent packages: 912Dependent repositories: 5,259
Downloads:
Affected Version Ranges: < 2.2.24.Final, >= 2.3.0, < 2.3.5.Final
Fixed in: 2.2.24.Final, 2.3.5.Final
All affected versions: 2.2.2-0.Final, 2.2.2-1.Final, 2.2.2-2.Final, 2.2.2-3.Final
All unaffected versions: