Vulnerability in Async-http-client_project Async-http-client

CVE-2013-7397

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS server…

EPSS: 0.011 (78.0th percentile) — read the EPSS interpretation.

Affected products

Async-http-client_project Async-http-client
Redhat Jboss_fuse
N/a — versions n/a

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

RHSA-2015:0850 (x_refsource_REDHAT, vendor-advisory)
RHSA-2015:1176 (x_refsource_REDHAT, vendor-advisory)
RHSA-2015:0851 (x_refsource_REDHAT, vendor-advisory)
69316 (vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM)
[oss-security] 20140825 Re: CVE Request: Multiple issues in com.ning:async-http-client (mailing-list, x_refsource_MLIST)
RHSA-2015:1551 (x_refsource_REDHAT, vendor-advisory)
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 (mailing-list, x_refsource_MLIST)
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list (mailing-list, x_refsource_MLIST)