CVE-2023-4586

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

Published: Oct 4, 2023
Updated: May 10, 2024
CVE: CVE-2023-4586
GHSA: GHSA-57m8-f3v5-hm5m
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
io.netty / netty-handler	4.1.0.Final	4.1.99.final.x
redhat / data_grid	8.0.0	8.0.0.x

https://access.redhat.com/errata/RHSA-2023:7676
https://access.redhat.com/security/cve/CVE-2023-4586
https://bugzilla.redhat.com/show_bug.cgi?id=2235564
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm-java.lang.String-
https://github.com/netty/netty/issues/8537
https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268

Vulnerability Database

289,599

CVE-2023-4586