CVE-2011-1498

CWE-200 — Information Exposure9 documents6 sources

Severity

4.3MEDIUM

EPSS

3.6%

top 12.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Httpclient

Timeline

PublishedJul 7

Latest updateMay 17

Description

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.httpcomponents:httpclient4.0.0 — 4.1.1

▶NVDapache/httpclient4.0, 4.0.1, 4.1+2

▶Debianhttpcomponents-client< 4.1.1-1+3

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient↗2022-05-17

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient↗2022-05-17

▶

OSV

CVE-2011-1498: Apache HttpClient 4↗2011-07-07

▶

CVEList

CVE-2011-1498: Apache HttpClient 4↗2011-07-07

▶

📋Vendor Advisories

Debian

CVE-2011-1498: httpcomponents-client - Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an a...↗2011

▶

💬Community

Bugzilla

CVE-2011-4320 ejabberd (mod_pubsub): DoS (infinite loop, excessive CPU consumption) by processing malformed <publish> stanza↗2011-11-21

▶

Bugzilla

CVE-2011-1498 httpcomponents-client: sends Proxy-Authorization header to host when tunneling requests through authenticated proxy server↗2011-05-31

▶

Bugzilla

CVE-2011-1498 httpcomponents-client: sends Proxy-Authorization header to host when tunneling requests through authenticated proxy server [fedora-15]↗2011-05-31

▶