Oracle Linux 8 : maven:3.6 (ELSA-2022-1860)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-1860 advisory. - Resolves: CVE-2020-13956 maven Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has no...

Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header...

GHSA-GW85-4GMF-M7RH Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header...

ai.api.libai.speech:libai-speech-gcp (>=1.4.6 <=1.6.12), ai.grakn:janus-factory (>=0.17.0 <=0.18.0) +4473 more potentially affected by CVE-2011-1498 via org.apache.httpcomponents:httpclient (>=4.0.1 <=4.1-beta1)

org.apache.httpcomponents:httpclient MAVEN version =4.0.1, =1.4.6, =0.17.0, =0.2.3.5, =0.2.3.5, =3.14.0.1, =3.8.2.4, =0.2.3.5, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.10.5.1, =3.10.4.1, =3.10.4.1, =3.20.0.1, =3.32.1.5 and more Source cves: CVE-2011-1498 Source advisory: OSV:GHSA-GW85-4GMF-M7RH...

Zyxel Firewall ZTP Unauthenticated Command Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Zyxel Firewall ZTP Unauthenticated Command Injection', 'Description' = %q This module exploits CVE-2022-30525, an unauthenticated remote command...

MitM on Jenkins Maven Plugin

Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient...

GHSA-QHXW-54M9-6WWC MitM on Jenkins Maven Plugin

Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient...

Improper Certificate Validation in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins...

GHSA-FQ9F-9WV9-RFMG Improper Certificate Validation in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins...

GHSA-M4J5-HGQQ-5JF2 Insecure cookie sharing in Hawtio

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store cookies are stored locally and are not passed between the client and the end URL which means all clients using that proxy are sharing the same cookies...

GHSA-PQWH-44JJ-P5RM Hostname verification in Apache HttpClient 4.3 was disabled by default

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification...

at.molindo:etcd-client (=0.1), br.com.ingenieux:beanstalk-maven-plugin (=1.4.0) +476 more potentially affected by CVE-2013-4366 via org.apache.httpcomponents:httpclient (>=4.3 <=4.3-beta2)

org.apache.httpcomponents:httpclient MAVEN version =4.3, =1.2.0, =1.3.3, =3.0.0, =3.1.1 - com.amazonaws.resources:aws-resources =0.0.3 - com.amazonaws.resources:aws-resources-core =0.0.3 - com.amazonaws.resources:aws-resources-ec2 =0.0.3 - com.amazonaws.resources:aws-resources-glacier =0.0.3 -...

Hostname verification in Apache HttpClient 4.3 was disabled by default

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +13938 more potentially affected by CVE-2012-5783 via commons-httpclient:commons-httpclient (>=3.0 <=3.1-rc1)

commons-httpclient:commons-httpclient MAVEN version =3.0, =1.1, =0.0.1, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =0.0.25, =0.0.25, =0.0.62, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 and more Source cves: CVE-2012-5783 Source advisory: OSV:GHSA-3832-9276-X7GF...

GHSA-3832-9276-X7GF Improper Certificate Validation in Apache Commons HttpClient

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle...

Improper Certificate Validation in Apache Commons HttpClient

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle...

AlmaLinux 8 : maven:3.5 (ALSA-2022:1861)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:1861 advisory. apache-httpclient: incorrect handling of malformed authority component in request URIs CVE-2020-13956 Tenable has extracted the preceding description block directl...

AlmaLinux 8 : maven:3.6 (ALSA-2022:1860)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:1860 advisory. apache-httpclient: incorrect handling of malformed authority component in request URIs CVE-2020-13956 Tenable has extracted the preceding description block directl...

RHEL 8 : .NET Core 3.1 (RHSA-2022:2202)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:2202 advisory. .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR...

dotnet: excess memory allocation via HttpClient causes DoS

A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...