CVE-2022-4492 - OpenCVE

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Integration Camel K Migration Toolkit For Applications Undertow Build Of Quarkus Jboss Enterprise Application Platform Migration Toolkit For Runtimes Jboss Fuse Integration Service Registry Integration Camel For Spring Boot Single Sign-on

Configuration 1 [-]

OR	cpe:2.3:a:redhat:build_of_quarkus:-:::::::*
	cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:::::::*
	cpe:2.3:a:redhat:integration_camel_k:-:::::::*
	cpe:2.3:a:redhat:integration_service_registry:-:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_fuse:7.0.0:::::::*
	cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:::::::*
	cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:::::::*
	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*
	cpe:2.3:a:redhat:undertow:2.7.0:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2022-4492	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2153260	Issue Tracking Vendor Advisory
https://security.netapp.com/advisory/ntap-20230324-0002/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-02-23T00:00:00

Updated: 2023-03-24T00:00:00

Reserved: 2022-12-14T00:00:00

Link: CVE-2022-4492

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-23T20:15:12.680

Modified: 2023-03-24T16:15:08.350

Link: CVE-2022-4492

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*", "matchCriteriaId": "78698F40-0777-4990-822D-02E1B5D0E2C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3C2E7E3C-A507-4AB2-97E5-4944D8775CF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "F979A5E3-7FFB-45F1-9847-FFBAF0B12067", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "E0FA5F7F-CCE8-4DF0-8F9D-516F72C30A45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."}], "id": "CVE-2022-4492", "lastModified": "2023-03-24T16:15:08.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-23T20:15:12.680", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-4492"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}