CVE-2022-4492

Опубликовано: 23 фев. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Ссылки

https://access.redhat.com/security/cve/CVE-2022-4492
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
Issue Tracking
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230324-0002/
https://access.redhat.com/security/cve/CVE-2022-4492
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
Issue Tracking
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230324-0002/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00107

Низкий

7.5 High

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-918

Связанные уязвимости

CVE-2022-4492

CVSS3: 7.5

ubuntu

почти 3 года назад

CVE-2022-4492

CVSS3: 7.5

redhat

около 3 лет назад

CVE-2022-4492

CVSS3: 7.5

debian

почти 3 года назад

The undertow client is not checking the server identity presented by t ...

GHSA-pfcc-3g6r-8rg8

CVSS3: 9.8

github

почти 3 года назад

Undertow client not checking server identity presented by server certificate in https connections

EPSS

Процентиль: 29%

0.00107

Низкий

7.5 High

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-918