CVE-2022-4492
undertow: Server identity in https connection is not checked by the undertow client
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.6.3 for use within the Red Hat OpenShift Container Platform cloud computing Platform-as-a-Service for on-premise or private cloud deployments, aligning with the standalone product release. Issues addressed include denial of service and information leakage vulnerabilities.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-12-14 CVE Reserved
- 2023-02-23 CVE Published
- 2025-03-12 CVE Updated
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-550: Server-generated Error Message Containing Sensitive Information
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20230324-0002 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-4492 | 2023-03-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2153260 | 2023-03-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel For Spring Boot Search vendor "Redhat" for product "Integration Camel For Spring Boot" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel K Search vendor "Redhat" for product "Integration Camel K" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Service Registry Search vendor "Redhat" for product "Integration Service Registry" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | 7.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Migration Toolkit For Applications Search vendor "Redhat" for product "Migration Toolkit For Applications" | 6.0 Search vendor "Redhat" for product "Migration Toolkit For Applications" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Migration Toolkit For Runtimes Search vendor "Redhat" for product "Migration Toolkit For Runtimes" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.7.0 Search vendor "Redhat" for product "Undertow" and version "2.7.0" | - |
Affected
| ||||||