The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. This issue affects versions prior to 2.2.24.Final and 2.3.x prior to 2.3.5.Final.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. This issue affects versions prior to 2.2.24.Final and 2.3.x prior to 2.3.5.Final.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Vulnerability ID: CVE-2022-4492
Package Name: io.undertow:undertow-core
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2023-02-23T20:15:00
Current Package Version: 2.0.9.Final
Remediation Upgrade Recommendation: 2.3.16.SP1-redhat-00001
Link To SCA
Reference – NVD link