Описание
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apicurio Registry 2 | undertow | Not affected | ||
| Red Hat build of Debezium 1 | undertow | Will not fix | ||
| Red Hat build of Quarkus | undertow | Affected | ||
| Red Hat Data Grid 8 | undertow | Will not fix | ||
| Red Hat Decision Manager 7 | undertow | Out of support scope | ||
| Red Hat Integration Camel K 1 | undertow | Affected | ||
| Red Hat Integration Camel Quarkus 1 | undertow | Will not fix | ||
| Red Hat JBoss Data Grid 7 | undertow | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | undertow | Out of support scope | ||
| Red Hat JBoss Fuse 6 | undertow | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
The undertow client is not checking the server identity presented by t ...
Undertow client not checking server identity presented by server certificate in https connections
EPSS
7.5 High
CVSS3