CVE-2013-7397

Опубликовано: 30 июл. 2013

Источник: redhat

CVSS2: 5.8

Описание

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Data Virtualization 6	async-http-client	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-6.1	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-esb-7.1	Affected
Red Hat JBoss BPMS 6.0	async-http-client	Fixed	RHSA-2015:0851	16.04.2015
Red Hat JBoss BRMS 6.0	async-http-client	Fixed	RHSA-2015:0850	16.04.2015
Red Hat JBoss Fuse 6.2		Fixed	RHSA-2015:1176	23.06.2015
Red Hat JBoss Fuse Service Works 6.0	async-http-client	Fixed	RHSA-2015:1551	05.08.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=1133769async-http-client: SSL/TLS certificate verification is disabled under certain conditions

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2013-7397

ubuntu

больше 10 лет назад

CVE-2013-7397

nvd

больше 10 лет назад

CVE-2013-7397

debian

больше 10 лет назад

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X. ...

GHSA-8h53-fjgg-g42g

github

больше 3 лет назад

Insufficient Verification of Data Authenticity in Async Http Client

5.8 Medium

CVSS2