Kishore Bhatia

**Name of the Vulnerable Software and Affected Versions** Async Http Client versions prior to 1.9.0 **Description** The issue allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical configuration, as demonstrated by a configuration that does not send client certificates. This occurs because X.509 certificate verification is skipped unless both a keyStore location and a trustStore location are explicitly set. **Recommendations** For versions prior to 1.9.0, ensure that both a keyStore location and a trustStore location are explicitly set to enable X.509 certificate verification and prevent man-in-the-middle attacks.

**Name of the Vulnerable Software and Affected Versions** Async Http Client versions prior to 1.9.0 **Description** The issue allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate because it does not require a hostname match during verification of X.509 certificates. **Recommendations** For versions prior to 1.9.0, update to version 1.9.0 or later to resolve the issue.