Critical severityNVD Advisory· Published Feb 23, 2023· Updated Mar 12, 2025
CVE-2022-4492
CVE-2022-4492
Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0, < 2.3.5.Final | 2.3.5.Final |
io.undertow:undertow-coreMaven | < 2.2.24.Final | 2.2.24.Final |
Affected products
2- undertow/undertowdescription
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-pfcc-3g6r-8rg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4492ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-4492ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.javaghsaWEB
- github.com/undertow-io/undertow/pull/1447ghsaWEB
- github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4ghsaWEB
- github.com/undertow-io/undertow/pull/1457ghsaWEB
- github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342ghsaWEB
- issues.redhat.com/browse/MTA-93ghsaWEB
- issues.redhat.com/browse/UNDERTOW-2212ghsaWEB
- security.netapp.com/advisory/ntap-20230324-0002ghsaWEB
- security.netapp.com/advisory/ntap-20230324-0002/mitre
News mentions
0No linked articles in our index yet.