PT-2015-3575 · None · Async Http Client

Kishore Bhatia

Published

2015-05-11

Updated

2022-05-13

CVE-2013-7398

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Async Http Client versions prior to 1.9.0

Description The issue allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate because it does not require a hostname match during verification of X.509 certificates.

Recommendations For versions prior to 1.9.0, update to version 1.9.0 or later to resolve the issue.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

CVE-2013-7398

GHSA-5C66-6H6G-6Q6M

MGASA-2015-0212

Affected Products

Async Http Client

PT-2015-3575 · None · Async Http Client

CVE-2013-7398

Weakness Enumeration

Related Identifiers

Affected Products

References · 21