Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
CVE-2023-4586

7.4HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Data Grid 8.4.6
Vendor
CVE Published:
4 October 2023

Summary

A security issue has been identified in the Hot Rod client where hostname validation is not enforced during TLS connections. This lack of validation could potentially expose users to man-in-the-middle attacks, allowing malicious actors to intercept or alter communications without detection. Organizations using the Hot Rod client should assess their exposure to this vulnerability and consider implementing protective measures to secure their network traffic.

References

https://access.redhat.com/errata/RHSA-2023:7676
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4586
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2235564
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.