CVE-2022-4492
HIGHRed Hat build of Quarkus - Server-Side Request Forgery via Undertow Client
Title source: llmDescription
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
References (3)
Core 3
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-4492
Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230324-0002/
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
35.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (11)
io.undertow/undertow-core
2.3.0 - 2.3.5.FinalMaven
redhat/build_of_quarkus
redhat/integration_camel_for_spring_boot
redhat/integration_camel_k
redhat/integration_service_registry
redhat/jboss_enterprise_application_platform
7.0.0
redhat/jboss_fuse
7.0.0
redhat/migration_toolkit_for_applications
6.0
redhat/migration_toolkit_for_runtimes
redhat/single_sign-on
7.0
... and 1 more
Published
Feb 23, 2023
Tracked Since
Feb 18, 2026