VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jz3d-vvfb-jfbw

Essentials
Severities (41)
References (25)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jz3d-vvfb-jfbw
Aliases	CVE-2022-4492 GHSA-pfcc-3g6r-8rg8
Summary	Undertow client not checking server identity presented by server certificate in https connections The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-550	Server-generated Error Message Containing Sensitive Information

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4492.json
cvssv3.1	9.8	https://access.redhat.com/security/cve/CVE-2022-4492
generic_textual	CRITICAL	https://access.redhat.com/security/cve/CVE-2022-4492
ssvc	Track	https://access.redhat.com/security/cve/CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2022-4492
cvssv3.1	9.8	https://bugzilla.redhat.com/show_bug.cgi?id=2153260
generic_textual	CRITICAL	https://bugzilla.redhat.com/show_bug.cgi?id=2153260
ssvc	Track	https://bugzilla.redhat.com/show_bug.cgi?id=2153260
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-pfcc-3g6r-8rg8
cvssv3.1	9.8	https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
generic_textual	CRITICAL	https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
cvssv3.1	9.8	https://github.com/undertow-io/undertow/pull/1447
generic_textual	CRITICAL	https://github.com/undertow-io/undertow/pull/1447
cvssv3.1	9.8	https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
generic_textual	CRITICAL	https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
cvssv3.1	9.8	https://github.com/undertow-io/undertow/pull/1457
generic_textual	CRITICAL	https://github.com/undertow-io/undertow/pull/1457
cvssv3.1	9.8	https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
generic_textual	CRITICAL	https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
cvssv3.1	9.8	https://issues.redhat.com/browse/MTA-93
generic_textual	CRITICAL	https://issues.redhat.com/browse/MTA-93
cvssv3.1	9.8	https://issues.redhat.com/browse/UNDERTOW-2212
generic_textual	CRITICAL	https://issues.redhat.com/browse/UNDERTOW-2212
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-4492
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2022-4492
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20230324-0002
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20230324-0002
ssvc	Track	https://security.netapp.com/advisory/ntap-20230324-0002/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4492.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-4492
		https://bugzilla.redhat.com/show_bug.cgi?id=2153260
		https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java
		https://github.com/undertow-io/undertow/pull/1447
		https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4
		https://github.com/undertow-io/undertow/pull/1457
		https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342
		https://issues.redhat.com/browse/MTA-93
		https://issues.redhat.com/browse/UNDERTOW-2212
		https://security.netapp.com/advisory/ntap-20230324-0002
1032087		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032087
CVE-2022-4492		https://access.redhat.com/security/cve/CVE-2022-4492
CVE-2022-4492		https://nvd.nist.gov/vuln/detail/CVE-2022-4492
GHSA-pfcc-3g6r-8rg8		https://github.com/advisories/GHSA-pfcc-3g6r-8rg8
ntap-20230324-0002		https://security.netapp.com/advisory/ntap-20230324-0002/
RHSA-2023:2100		https://access.redhat.com/errata/RHSA-2023:2100
RHSA-2023:2705		https://access.redhat.com/errata/RHSA-2023:2705
RHSA-2023:2706		https://access.redhat.com/errata/RHSA-2023:2706
RHSA-2023:2707		https://access.redhat.com/errata/RHSA-2023:2707
RHSA-2023:2710		https://access.redhat.com/errata/RHSA-2023:2710
RHSA-2023:2713		https://access.redhat.com/errata/RHSA-2023:2713
RHSA-2023:3813		https://access.redhat.com/errata/RHSA-2023:3813
RHSA-2023:4627		https://access.redhat.com/errata/RHSA-2023:4627
RHSA-2023:4983		https://access.redhat.com/errata/RHSA-2023:4983

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4492.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/security/cve/CVE-2022-4492

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-12T14:33:53Z/ Found at https://access.redhat.com/security/cve/CVE-2022-4492

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2153260

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-12T14:33:53Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2153260

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/undertow-io/undertow/pull/1447

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/undertow-io/undertow/pull/1447/commits/e5071e52b72529a14d3ec436ae7102cea5d918c4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/undertow-io/undertow/pull/1457

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/undertow-io/undertow/pull/1457/commits/a4d3b167126a803cc4f7fb740dd9a6ecabf59342

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://issues.redhat.com/browse/MTA-93

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://issues.redhat.com/browse/UNDERTOW-2212

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-4492

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20230324-0002

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-12T14:33:53Z/ Found at https://security.netapp.com/advisory/ntap-20230324-0002/

Exploit Prediction Scoring System (EPSS)

Percentile	0.36333
EPSS Score	0.00155
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:50:55.911744+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.undertow/undertow-core/CVE-2022-4492.yml	38.0.0