CVE-2015-5262

CWE-399CWE-770Allocation without LimitsCWE-400Uncontrolled Resource Consumption16 documents9 sources
Severity
4.3MEDIUM
EPSS
1.6%
top 18.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache HttpclientCanonical Ubuntu LinuxFedoraproject Fedora
Timeline
PublishedOct 27
Latest updateMar 25

Description

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDapache/httpclient4.34.3.5
Debiancommons-httpclient< 3.1-12+3
Debianhttpcomponents-client< 4.3.6-1+3

Also affects: Fedora 21, 22, 23, Ubuntu Linux 12.04, 14.04, 15.04

🔴Vulnerability Details

5
GHSA
PyKMIP Denial of service vulnerability2018-12-21
OSV
Denial of service vulnerability in org.apache.httpcomponents:httpclient2018-10-17
GHSA
Denial of service vulnerability in org.apache.httpcomponents:httpclient2018-10-17
OSV
CVE-2015-5262: http/conn/ssl/SSLConnectionSocketFactory2015-10-27
CVEList
CVE-2015-5262: http/conn/ssl/SSLConnectionSocketFactory2015-10-27

📋Vendor Advisories

5
Red Hat
python-pykmip: DoS due to undefined default timeout for all server sockets2018-04-24
Jenkins
Jenkins Security Advisory 2018-02-262018-02-26
Ubuntu
Apache Commons HttpClient vulnerabilities2015-10-14
Red Hat
httpcomponents-core: missing HTTPS connection timeout2015-09-03
Debian
CVE-2015-5262: commons-httpclient - http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClien...2015

💬Community

5
Bugzilla
Fix for CVE-2015-5262 not backported to 4.2.x2019-03-25
Bugzilla
CVE-2018-1000872 python-pykmip: DoS due to undefined default timeout for all server sockets2019-01-11
Bugzilla
CVE-2015-5262 jakarta-commons-httpclient: jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout [fedora-all]2015-09-11
Bugzilla
CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout2015-09-09
Bugzilla
CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during SSL Handshake2015-09-03
CVE-2015-5262 (MEDIUM CVSS 4.3) | http/conn/ssl/SSLConnectionSocketFa | cvebase.io