CVE-2022-4492

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Published: Feb 23, 2023
Updated: May 10, 2024
CVE: CVE-2022-4492
GHSA: GHSA-pfcc-3g6r-8rg8
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
redhat / jboss_enterprise_application_platform	7.0.0	7.0.0.x
redhat / single_sign-on	7.0	7.0.x
redhat / jboss_fuse	7.0.0	7.0.0.x
redhat / undertow	2.7.0	2.7.0.x
redhat / migration_toolkit_for_applications	6.0	6.0.x
io.undertow / undertow-core	2.3.0	2.3.5.Final
io.undertow / undertow-core	-	2.2.24.Final

https://access.redhat.com/security/cve/CVE-2022-4492
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
https://github.com/undertow-io/undertow/pull/1447
https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
https://github.com/undertow-io/undertow/pull/1457
https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
https://issues.redhat.com/browse/MTA-93
https://issues.redhat.com/browse/UNDERTOW-2212
https://security.netapp.com/advisory/ntap-20230324-0002
https://security.netapp.com/advisory/ntap-20230324-0002/

Vulnerability Database

289,571

CVE-2022-4492