{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-4492", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2025-03-12T14:34:50.123Z", "dateReserved": "2022-12-14T00:00:00.000Z", "datePublished": "2023-02-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-03-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."}], "affected": [{"vendor": "n/a", "product": "undertow", "versions": [{"version": "2.7", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, {"url": "https://access.redhat.com/security/cve/CVE-2022-4492"}, {"url": "https://security.netapp.com/advisory/ntap-20230324-0002/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "ssrf"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:45.097Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2022-4492", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230324-0002/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T14:33:53.756138Z", "id": "CVE-2022-4492", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T14:34:50.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2022-4492", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230324-0002/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:45.097Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-4492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T14:33:53.756138Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T14:34:43.639Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "undertow", "versions": [{"status": "affected", "version": "2.7"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, {"url": "https://access.redhat.com/security/cve/CVE-2022-4492"}, {"url": "https://security.netapp.com/advisory/ntap-20230324-0002/"}], "descriptions": [{"lang": "en", "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "ssrf"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-03-24T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-4492", "state": "PUBLISHED", "dateUpdated": "2025-03-12T14:34:50.123Z", "dateReserved": "2022-12-14T00:00:00.000Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-02-23T00:00:00.000Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*", "matchCriteriaId": "78698F40-0777-4990-822D-02E1B5D0E2C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3C2E7E3C-A507-4AB2-97E5-4944D8775CF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "F979A5E3-7FFB-45F1-9847-FFBAF0B12067", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "E0FA5F7F-CCE8-4DF0-8F9D-516F72C30A45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."}], "id": "CVE-2022-4492", "lastModified": "2025-03-12T15:15:38.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-23T20:15:12.680", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-4492"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-4492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:1516", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "undertow", "product_name": "EAP 7.4.10 release", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:3813", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.1-8", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-06-27T00:00:00Z"}, {"advisory": "RHSA-2023:4627", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-operator-bundle:6.2.0-29", "product_name": "MTA-6.2-RHEL-9", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:3954", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "undertow", "product_name": "Red Hat Fuse 7.12", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:1513", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1513", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1514", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1514", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1512", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1512", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:2713", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.3", "package": "undertow", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2705", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2706", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2707", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2710", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-22", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "undertow", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2023:4983", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-09-05T00:00:00Z"}], "bugzilla": {"description": "undertow: Server identity in https connection is not checked by the undertow client", "id": "2153260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-550", "details": ["The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.", "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2."], "name": "CVE-2022-4492", "package_state": [{"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat build of Debezium 1"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Affected", "package_name": "undertow", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-4492\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4492"], "threat_severity": "Moderate"}