1620 matches found
USN-2769-1 commons-httpclient vulnerabilities
It was discovered that Apache Commons HttpClient did not properly verify the Common Name or subjectAltName fields of X.509 certificates. An attacker could exploit this to perform a machine-in-the-middle attack to view sensitive information or alter encrypted communications. This issue only affect...
MGASA-2015-0392 Updated jakarta-commons-httpclient and httpcomponents-client packages fixes security vulnerability
The Apache httpclient library had a bug where the socket timeout was ignored during the SSL handshake, causing threads in an application to hang CVE-2015-5262...
Simple Backdoor Shell Remote Code Execution
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Simple Backdoor Shell Remote Code Execution', 'Description' = %q This module exploits unauthenticated simple web backdoor shells by...
[SECURITY] Fedora 21 Update: jakarta-commons-httpclient-3.1-20.fc21
The Hyper-Text Transfer Protocol HTTP is perhaps the most significant protocol used on the Internet today. Web services, network-enabled appliances and the growth of network computing continue to expand the role of the HTTP protocol beyond user-driven web browsers, and increase the number of...
ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'ManageEngine EventLog Analyzer Remote Code Execution', 'Description' = %q This module exploits a SQL query functionality in...
Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit4 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' = %q This module exploits three separa...
async-http-client: missing hostname verification for SSL certificates
It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any...
SysAid Help Desk Administrator Portal Arbitrary File Upload Exploit
This Metasploit module exploits a file upload vulnerability in SysAid Help Desk. The vulnerability exists in the ChangePhoto.jsp in the administrator portal, which does not handle correctly directory traversal sequences and does not enforce file extension restrictions. You need to have an...
HTTP Client Automatic Exploiter 2 (Browser Autopwn)
This module will automatically serve browser exploits. Here are the options you can configure: The INCLUDEPATTERN option allows you to specify the kind of exploits to be loaded. For example, if you wish to load just Adobe Flash exploits, then you can set Include to 'adobeflash'. The EXCLUDEPATTER...
Amazon Linux AMI : python27 (ALAS-2015-552)
It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.CVE-2013-1752 ...
Design/Logic Flaw
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
DEBIAN-CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
Design/Logic Flaw
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...
UBUNTU-CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7397
Async Http Client (AHC) prior to 1.9.0 fails to verify X.509 certificates unless both a keystore and a truststore are explicitly configured, enabling MITM via spoofed certificates in typical configurations. Affected component is the AHC Java library; exploitation would involve HTTPS usage with mi...
CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7398
CVE-2013-7398 affects Async Http Client (async-http-client) before 1.9.0, where hostname verification is not required during X.509 certificate verification. This allows MITM attackers to spoof HTTPS servers with arbitrary valid certificates. Mitigation: upgrade to 1.9.0 or newer (vendor advisorie...