SSRF in Redhat Build_of_quarkus
CVE-2022-4492
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS clie…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.006 (43.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Affected products
- Redhat Build_of_quarkus
- Redhat Integration_camel_for_spring_boot
- Redhat Integration_camel_k
- Redhat Integration_service_registry
- Redhat Jboss_enterprise_application_platform — versions 7.0.0
- Redhat Jboss_fuse — versions 7.0.0
- Redhat Migration_toolkit_for_applications — versions 6.0
- Redhat Migration_toolkit_for_runtimes
- Redhat Single_sign-on — versions 7.0
- Redhat Undertow — versions 2.7.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (Issue Tracking, Vendor Advisory)
- secalert@redhat.com (Vendor Advisory)
- secalert@redhat.com
Frequently asked questions
- What is CVE-2022-4492?
- CVE-2022-4492 is a high-severity vulnerability in Redhat Build_of_quarkus, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.5/10. Published 2023-02-23.
- How severe is CVE-2022-4492?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2022-4492 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.