Undertow Client Vulnerability: Lack of Server Identity Verification in HTTPS Connections

Undertow Client Vulnerability: Lack of Server Identity Verification in HTTPS Connections

CVE-2022-4492 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

Learn more about our Cis Benchmark Audit For Server Software.