CVE-2022-4492: Improper Validation of Certificate with Host Mismatch

February 23, 2023 (updated October 6, 2024)

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

References

access.redhat.com/security/cve/CVE-2022-4492
bugzilla.redhat.com/show_bug.cgi?id=2153260
nvd.nist.gov/vuln/detail/CVE-2022-4492

Detect and mitigate CVE-2022-4492 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →