Undertow client not checking server identity presented by server certificate in https connections

GHSA-pfcc-3g6r-8rg8 · CVE-2022-4492

Published Feb 23, 2023 · Modified Mar 12, 2025

Description

The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-4492
WEB https://github.com/undertow-io/undertow/pull/1447
WEB https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
WEB https://github.com/undertow-io/undertow/pull/1457
WEB https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
WEB https://access.redhat.com/security/cve/CVE-2022-4492
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2153260
WEB https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
WEB https://issues.redhat.com/browse/MTA-93
WEB https://issues.redhat.com/browse/UNDERTOW-2212
WEB https://security.netapp.com/advisory/ntap-20230324-0002

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes