Back to search
CVE-2013-7397
Published: Jun 24, 2015
Modified: Aug 6, 2024
PUBLISHED
Description
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
RHSA-2015:0850
vendor-advisory
x_refsource_REDHAT
RHSA-2015:1176
vendor-advisory
x_refsource_REDHAT
RHSA-2015:0851
vendor-advisory
x_refsource_REDHAT
69316
vdb-entry
x_refsource_BID
https://github.com/AsyncHttpClient/async-http-client/issues/352
x_refsource_CONFIRM
[oss-security] 20140825 Re: CVE Request: Multiple issues in com.ning:async-http-client
mailing-list
x_refsource_MLIST
RHSA-2015:1551
vendor-advisory
x_refsource_REDHAT
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now