Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

PGV-2314320 - Undertow client not checking server identity presented by server certificate in https connections

Disclosed on February 23, 2023 (updated May 11, 2026)

Vulnerability Overview

PGV-2314320 is a category 3 vulnerabilty that affects io.undertow/undertow-core, versions ≥ 2.3.0 & < 2.3.5.Final, < 2.2.24.Final

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.

Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • CVE-2022-4492
  • GHSA-pfcc-3g6r-8rg8