CVE-2013-7398

2015-06-2416:59:00

Debian Security Bug Tracker

security-tracker.debian.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.5%

JSON

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

OSVersionArchitecturePackageVersionFilename
Debian12allasync-http-client< 2.12.3-1async-http-client_2.12.3-1_all.deb
Debian11allasync-http-client< 2.12.2-1async-http-client_2.12.2-1_all.deb
Debian10allasync-http-client< 2.6.0-1async-http-client_2.6.0-1_all.deb
Debian999allasync-http-client< 2.12.3-1async-http-client_2.12.3-1_all.deb
Debian13allasync-http-client< 2.12.3-1async-http-client_2.12.3-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	async-http-client	< 2.12.3-1	async-http-client_2.12.3-1_all.deb
Debian	11	all	async-http-client	< 2.12.2-1	async-http-client_2.12.2-1_all.deb
Debian	10	all	async-http-client	< 2.6.0-1	async-http-client_2.6.0-1_all.deb
Debian	999	all	async-http-client	< 2.12.3-1	async-http-client_2.12.3-1_all.deb
Debian	13	all	async-http-client	< 2.12.3-1	async-http-client_2.12.3-1_all.deb