Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Remediation
References
Related Vulnerabilities
Squid Improper Input Validation Vulnerability (CVE-2020-8517)
Oracle Application Server CVE-2002-1637 Vulnerability (CVE-2002-1637)
WordPress Plugin WordPress Books Gallery Cross-Site Request Forgery (4.4.8)
MediaWiki Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2021-42040)