CVE-2013-7397Insufficient Verification of Data Authenticity in Project Async-http-client

CWE-345Insufficient Verification of Data AuthenticityCWE-295Improper Certificate Validation10 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
1.1%
top 22.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Async-http-client Project Async-http-clientRedhat Jboss Fuse
Timeline
PublishedJun 24
Latest updateMay 13

Description

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

🔴Vulnerability Details

4
OSV
Insufficient Verification of Data Authenticity in Async Http Client2022-05-13
GHSA
Insufficient Verification of Data Authenticity in Async Http Client2022-05-13
OSV
CVE-2013-7397: Async Http Client (aka AHC or async-http-client) before 12015-06-24
CVEList
CVE-2013-7397: Async Http Client (aka AHC or async-http-client) before 12015-06-24

📋Vendor Advisories

3
Jenkins
Jenkins Security Advisory 2016-06-202016-06-20
Red Hat
async-http-client: SSL/TLS certificate verification is disabled under certain conditions2013-07-30
Debian
CVE-2013-7397: async-http-client - Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certif...2013

💬Community

2
Bugzilla
CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions2014-08-26
Bugzilla
CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions [fedora-all]2014-08-26
CVE-2013-7397 — Project Async-http-client vulnerability | cvebase