Miggo Logo
Miggo Vulnerability Database
CVE-2022-4492

CVE-2022-4492: Undertow client not checking server identity presented by server certificate in https connections

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4492
GHSA ID
GHSA-pfcc-3g6r-8rg8
EPSS Score
0.32566%
CWE
CWE-918
Published
2/23/2023
Updated
3/12/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.undertow:undertow-coremaven>= 2.3.0, < 2.3.5.Final2.3.5.Final
io.undertow:undertow-coremaven< 2.2.24.Final2.2.24.Final

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing hostname verification in HTTPS connections. The patches (GHSA-pfcc-3g6r-8rg8) explicitly add 'ENDPOINT_IDENTIFICATION_ALGORITHM=HTTPS' to client connection configurations. The vulnerable versions lacked this enforcement in HTTP/1.1 and HTTP/2 client providers, and in the SSL engine setup. The commit diffs show these functions were modified to add the missing validation, confirming they were the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** un**rtow *li*nt is not ****kin* t** s*rv*r i**ntity pr*s*nt** *y t** s*rv*r **rti*i**t* in *ttps *onn**tions. T*is s*oul* ** p*r*orm** *y ****ult in *ttps *n* in *ttp/*.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ostn*m* v*ri*i**tion in *TTPS *onn**tions. T** p*t***s (**S*-p***-***r-*r**) *xpli*itly *** '*N*POINT_I**NTI*I**TION_*L*ORIT*M=*TTPS' to *li*nt *onn**tion *on*i*ur*tions. T** vuln*r**l* v*rsions l**k** t*is *n*or