Description
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
Remediation
References
Related Vulnerabilities
GlassFish CVE-2016-3607 Vulnerability (CVE-2016-3607)
Drupal URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-13662)
OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2178)
WordPress Plugin ARPrice-Responsive Pricing Table Cross-Site Scripting (2.2)