GHSA-pqwh-44jj-p5rm

Suggest an improvement
Source
https://github.com/advisories/GHSA-pqwh-44jj-p5rm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqwh-44jj-p5rm/GHSA-pqwh-44jj-p5rm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pqwh-44jj-p5rm
Aliases
  • CVE-2013-4366
Published
2022-05-13T01:25:03Z
Modified
2024-03-05T17:33:19.157465Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Hostname verification in Apache HttpClient 4.3 was disabled by default
Details

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

References

Affected packages

Maven / org.apache.httpcomponents:httpclient

Package

Name
org.apache.httpcomponents:httpclient
View open source insights on deps.dev
Purl
pkg:maven/org.apache.httpcomponents/httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3
Fixed
4.3.1

Affected versions

4.*

4.3