Disclosed on February 23, 2023 (updated May 11, 2026)
PGV-2314320 is a category 3 vulnerabilty that affects io.undertow/undertow-core, versions ≥ 2.3.0 & < 2.3.5.Final, < 2.2.24.Final
The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.
The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.
The threat damage is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2.
| Network Exposure | External Accessable from the public internet |
| Access Interface | WebBrowser Primarily web-based applications |
| Service Outage | Disruptive Operations would be impacted |
| Data Breach | Disruptive Operations would be impacted |
| Data Tampering | Disruptive Operations would be impacted |
| Customize | |