CVE-2013-7397

CVSS v2.0 4.3 (Medium)

EPSS 0.30 % (70^th)

Affected Products 2

Advisories 2

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

Weaknesses

CWE-345: Insufficient Verification of Data Authenticity

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2015-06-24 16:59:00
(9 years ago)
Updated Date: 2023-11-07 02:18:03
(10 months ago)

Affected Products

Async-http-client Project

Async-http-client

Redhat

Jboss Fuse

Configuration #1

		CPE23	From	Up To
	Redhat Jboss Fuse 6.1.0 and prior versions	cpe:2.3:a:redhat:jboss_fuse		<= 6.1.0

Configuration #2

		CPE23	From	Up To
	Async-http-client Project Async-http-client Beta24 1.9.0 and prior versions	cpe:2.3:a:async-http-client_project:async-http-client::beta24		<= 1.9.0