Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Remediation
References
Related Vulnerabilities
Microsoft SQL Server Other Vulnerability (CVE-2002-1145)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0724)
MySQL Other Vulnerability (CVE-2005-0799)
WordPress Plugin WooCommerce-Store Toolkit Privilege Escalation (1.5.6)
LimeSurvey Incorrect Default Permissions Vulnerability (CVE-2019-16185)