CVE-2013-7397

2015-06-24T12:59:00
ID CVE-2013-7397
Type cve
Reporter NVD
Modified 2018-01-04T21:29:45

Description

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.