Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.
References
Configurations
History
07 Nov 2023, 02:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2015-06-24 16:59
Updated : 2024-02-28 15:21
NVD link : CVE-2013-7397
Mitre link : CVE-2013-7397
CVE.ORG link : CVE-2013-7397
JSON object : View
Products Affected
async-http-client_project
- async-http-client
redhat
- jboss_fuse
CWE
CWE-345
Insufficient Verification of Data Authenticity