CVE-2022-4492 — Server-Side Request Forgery in Redhat Undertow

CWE-918 — Server-Side Request Forgery CWE-550 — Server-generated Error Message Containing Sensitive Information8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 63.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow Redhat Jboss Enterprise Application Platform Redhat Jboss Fuse +2 more

Timeline

PublishedFeb 23

Latest updateOct 15

Description

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶Debianredhat/undertow< 2.3.8-2

▶CVEListV5redhat/undertow2.7

▶NVDredhat/undertow2.7.0

▶NVDredhat/jboss_fuse7.0.0

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

CVEList

CVE-2022-4492: The undertow client is not checking the server identity presented by the server certificate in https connections↗2023-02-23

▶

OSV

CVE-2022-4492: The undertow client is not checking the server identity presented by the server certificate in https connections↗2023-02-23

▶

OSV

Undertow client not checking server identity presented by server certificate in https connections↗2023-02-23

▶

GHSA

Undertow client not checking server identity presented by server certificate in https connections↗2023-02-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Undertow) — CVE-2022-4492↗2023-10-15

▶

Red Hat

undertow: Server identity in https connection is not checked by the undertow client↗2022-12-14

▶

Debian

CVE-2022-4492: undertow - The undertow client is not checking the server identity presented by the server ...↗2022

▶