Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Remediation
References
Related Vulnerabilities
Phusion Passenger Other Vulnerability (CVE-2014-1832)
Undertow Uncontrolled Resource Consumption Vulnerability (CVE-2019-14888)
Apache HTTP Server Other Vulnerability (CVE-2006-4110)
XWiki Improper Authentication Vulnerability (CVE-2022-36093)
WordPress Plugin Cache-Control Unspecified Vulnerability (2.2.3)