CVE-2023-4586

CWE-20 — Improper Input Validation CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.4HIGH

EPSS

0.1%

top 67.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Data Grid

Timeline

PublishedOct 4

Description

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

▶Mavenio.netty:netty-handler4.1.0.Final — 4.1.99.Final

▶NVDredhat/data_grid8.0.0

🔴Vulnerability Details

CVEList

Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack↗2023-10-04

▶

OSV

Withdrawn Advisory: Netty-handler does not validate host names by default↗2023-10-04

▶

GHSA

Withdrawn Advisory: Netty-handler does not validate host names by default↗2023-10-04

▶

📋Vendor Advisories

Red Hat

hotrod-client: Hot Rod client does not enable hostname validation when using TLS that lead to a MITM attack↗2023-08-29

▶