Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-27820

Опубликовано: 24 апр. 2025
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

A flaw was found in Apache HttpClient. This vulnerability allows unauthorized access or information disclosure via disabled Public Suffix List (PSL) validation, affecting cookie management and hostname verification.

Отчет

This vulnerability is rated Moderate due to the high attack complexity required for exploitation, the limited impact on confidentiality, and the fact that the issue does not allow direct system compromise or denial of service. While the failure to load the Public Suffix List weakens hostname and cookie validation, it does not lead to immediate critical security breaches, and mitigation techniques such as manual cookie domain validation and other security measures typically reduce the risk in real-world scenarios.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
AMQ Clientshttpclient5Fix deferred
Cryostat 3httpclient5Not affected
Cryostat 4httpclient5Not affected
Red Hat AMQ Broker 7httpclient5Not affected
Red Hat build of Apache Camel 4 for Quarkus 3quarkus-camel-bomNot affected
Red Hat build of Apache Camel 4 for Quarkus 3quarkus-cxf-bomNot affected
Red Hat build of Apache Camel for Spring Boot 4httpclient5Not affected
Red Hat build of Apache Camel - HawtIO 4httpclient5Not affected
Red Hat build of Apicurio Registry 2httpclient5Not affected
Red Hat build of Apicurio Registry 3httpclient5Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=2362042org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass

EPSS

Процентиль: 13%
0.00043
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-27820

CVSS3: 7.5
ubuntu
5 месяцев назад

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

nvd логотип

CVE-2025-27820

CVSS3: 7.5
nvd
5 месяцев назад

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

debian логотип

CVE-2025-27820

CVSS3: 7.5
debian
5 месяцев назад

A bug in PSL validation logic in Apache HttpClient 5.4.x disables doma ...

github логотип

GHSA-73m2-qfq3-56cx

CVSS3: 7.5
github
5 месяцев назад

Apache HttpClient disables domain checks

fstec логотип

BDU:2025-05017

CVSS3: 7.5
fstec
6 месяцев назад

Уязвимость механизма PSL validation клиентского модуля Apache HttpClient средства Apache HttpComponents, позволяющая нарушителю осуществить CSRF-атаку

EPSS

Процентиль: 13%
0.00043
Низкий

6.5 Medium

CVSS3