vulnerability
Red Hat JBoss EAP: CVE-2022-4492: Server-Side Request Forgery (SSRF)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Dec 14, 2022 | Sep 19, 2024 | Jul 2, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
Dec 14, 2022
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.. A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-918
- CVE-2022-4492
- https://attackerkb.com/topics/CVE-2022-4492
- URL-https://access.redhat.com/security/cve/CVE-2022-4492
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2153260
- URL-https://access.redhat.com/errata/RHSA-2023:1512
- URL-https://access.redhat.com/errata/RHSA-2023:1513
- URL-https://access.redhat.com/errata/RHSA-2023:1514
- URL-https://access.redhat.com/errata/RHSA-2023:1516
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.