CVE-2013-7398Insufficient Verification of Data Authenticity in Project Async-http-client

CWE-345Insufficient Verification of Data AuthenticityCWE-297Improper Validation of Certificate with Host Mismatch9 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
1.0%
top 22.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Async-http-client Project Async-http-clientRedhat Jboss Fuse
Timeline
PublishedJun 24
Latest updateMay 13

Description

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

🔴Vulnerability Details

3
OSV
Insufficient Verification of Data Authenticity in Async Http Client2022-05-13
GHSA
Insufficient Verification of Data Authenticity in Async Http Client2022-05-13
CVEList
CVE-2013-7398: main/java/com/ning/http/client/AsyncHttpClientConfig2015-06-24

📋Vendor Advisories

3
Jenkins
Jenkins Security Advisory 2016-06-202016-06-20
Red Hat
async-http-client: missing hostname verification for SSL certificates2013-01-09
Debian
CVE-2013-7398: async-http-client - main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (...2013

💬Community

2
Bugzilla
CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates [fedora-all]2014-08-26
Bugzilla
CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates2014-08-26
CVE-2013-7398 — Project Async-http-client vulnerability | cvebase