Описание
Undertow client not checking server identity presented by server certificate in https connections
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-4492
- https://github.com/undertow-io/undertow/pull/1447
- https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
- https://github.com/undertow-io/undertow/pull/1457
- https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
- https://access.redhat.com/security/cve/CVE-2022-4492
- https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
- https://issues.redhat.com/browse/MTA-93
- https://issues.redhat.com/browse/UNDERTOW-2212
- https://security.netapp.com/advisory/ntap-20230324-0002
Пакеты
io.undertow:undertow-core
>= 2.3.0, < 2.3.5.Final
2.3.5.Final
io.undertow:undertow-core
< 2.2.24.Final
2.2.24.Final
Связанные уязвимости
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
The undertow client is not checking the server identity presented by t ...