Vulnerability in Async-http-client_project Async-http-client

CVE-2013-7398

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attacker…

EPSS: 0.010 (77.9th percentile) — read the EPSS interpretation.

Affected products

Async-http-client_project Async-http-client
Redhat Jboss_fuse
N/a — versions n/a

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

69317 (vdb-entry, x_refsource_BID)
RHSA-2015:0850 (x_refsource_REDHAT, vendor-advisory)
RHSA-2015:1176 (x_refsource_REDHAT, vendor-advisory)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
RHSA-2015:0851 (x_refsource_REDHAT, vendor-advisory)
cve@mitre.org (x_refsource_CONFIRM)
[oss-security] 20140825 Re: CVE Request: Multiple issues in com.ning:async-http-client (mailing-list, x_refsource_MLIST)
RHSA-2015:1551 (x_refsource_REDHAT, vendor-advisory)
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 (mailing-list, x_refsource_MLIST)
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list (mailing-list, x_refsource_MLIST)