Description

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Remediation

References

CVE-2022-4492

Related Vulnerabilities

WordPress Plugin EMC2 Custom Help Videos Cross-Site Scripting (1.2)

Oracle Database Server CVE-2011-0870 Vulnerability (CVE-2011-0870)

WordPress Plugin A.M.Y. Cross-Site Scripting (1.3.3)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4285)

Moodle Improper Access Control Vulnerability (CVE-2016-8642)

Severity

Critical

Classification

CVE-2022-4492 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities