CVE-2013-7398

Опубликовано: 09 янв. 2013

Источник: redhat

CVSS2: 5.8

EPSS Низкий

Описание

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Data Virtualization 6	async-http-client	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-6.1	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-esb-7.1	Affected
Red Hat JBoss BPMS 6.0	async-http-client	Fixed	RHSA-2015:0851	16.04.2015
Red Hat JBoss BRMS 6.0	async-http-client	Fixed	RHSA-2015:0850	16.04.2015
Red Hat JBoss Fuse 6.2		Fixed	RHSA-2015:1176	23.06.2015
Red Hat JBoss Fuse Service Works 6.0	async-http-client	Fixed	RHSA-2015:1551	05.08.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-297

https://bugzilla.redhat.com/show_bug.cgi?id=1133773async-http-client: missing hostname verification for SSL certificates

EPSS

Процентиль: 79%

0.01231

Низкий

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2013-7398

ubuntu

больше 10 лет назад

CVE-2013-7398

nvd

больше 10 лет назад

CVE-2013-7398

debian

больше 10 лет назад

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Htt ...

GHSA-5c66-6h6g-6q6m

github

больше 3 лет назад

Insufficient Verification of Data Authenticity in Async Http Client

EPSS

Процентиль: 79%

0.01231

Низкий

5.8 Medium

CVSS2