Lucene search
K

78 matches found

OSV
OSV
added 2022/05/13 1:12 a.m.32 views

GHSA-5C66-6H6G-6Q6M Insufficient Verification of Data Authenticity in Async Http Client

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...

4.3CVSS9AI score0.0083EPSS
Exploits0References12
OpenVAS
OpenVAS
added 2022/01/28 12:0 a.m.32 views

Mageia: Security Advisory (MGASA-2015-0212)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

4.3CVSS6.7AI score0.00993EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2020/10/16 5:3 p.m.83 views

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a...

7.5CVSS1.2AI score0.09438EPSS
Exploits0References2Affected Software2
OSV
OSV
added 2020/10/16 5:3 p.m.6 views

GHSA-8HXH-R6F7-JF45 Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a...

6.9AI score
Exploits0References2
Veracode
Veracode
added 2019/11/05 7:28 a.m.17 views

Information Disclosure

play-ws is vulnerable to information disclosure. The vulnerability exists through a regression caused by async-http-client that causes HTTP CONNECT requests set to an outbound HTTPS requests when using an authenticated proxy server...

7.5CVSS0.4AI score0.00698EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2019/10/11 5:4 a.m.9 views

XML External Entity (XXE)

async-http-client is vulnerable to XML external entity attacks. The external DTD support in the Webdav module is not disabled, allowing attackers to access and retrieve system files, submit requests on behalf of the server, or potentially cause a denial of service...

6.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2018/10/19 4:50 p.m.50 views

Improper Input Validation in async-http-client

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS2.1AI score0.03046EPSS
Exploits0References30Affected Software1
OSV
OSV
added 2018/10/19 4:50 p.m.3 views

GHSA-93JQ-624G-4P9P Improper Input Validation in async-http-client

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS7.2AI score0.03046EPSS
Exploits0References31
vulnersOsv
vulnersOsv
added 2018/10/16 11:12 p.m.2 views

org.apache.camel:camel-ahc-ws (=2.16.0) potentially affected by CVE-2015-5348 via org.apache.camel:camel-ahc (=2.16.0)

org.apache.camel:camel-ahc MAVEN version =2.16.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.camel:camel-ahc and may be impacted: - org.apache.camel:camel-ahc-ws =2.16.0 Source cves: CVE-2015-5348 Source advisory: OSV:GHSA-26V6-W6FW-RH94...

8.1CVSS7.2AI score0.06365EPSS
Exploits0
CNVD
CNVD
added 2017/09/04 12:0 a.m.2 views

Vulnerability in Async Http Client

Async Http Client aka AHC or async-http-client is a client library that allows a Java application to perform an HTTP request and process that HTTP response asynchronously. A security vulnerability exists in Async Http Client versions prior to 2.0.35. An attacker could exploit the vulnerability to...

7.5CVSS7.5AI score0.03046EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2017/09/01 10:18 a.m.40 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS2AI score0.05915EPSS
Exploits0References1
Prion
Prion
added 2017/08/31 4:29 p.m.31 views

Design/Logic Flaw

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

5CVSS8.2AI score0.05915EPSS
Exploits0References28Affected Software1
NVD
NVD
added 2017/08/31 4:29 p.m.36 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS6.5AI score0.03046EPSS
Exploits0References28
UbuntuCve
UbuntuCve
added 2017/08/31 4:29 p.m.31 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS7.1AI score0.03046EPSS
Exploits0References4
OSV
OSV
added 2017/08/31 4:29 p.m.28 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS6.5AI score
Exploits0References28
CVE
CVE
added 2017/08/31 4:0 p.m.109 views

CVE-2017-14063

CVE-2017-14063 affects Async Http Client (async-http-client) prior to 2.0.35. The underlying issue allows an attacker to cause the client to connect to a host different from the one parsed from java.net.URI when a ? appears in a fragment. This vulnerability is corroborated by CNVD-2017-31118, whi...

7.5CVSS7.7AI score0.03046EPSS
Exploits0References28Affected Software1
Cvelist
Cvelist
added 2017/08/31 4:0 p.m.37 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

6.8AI score0.03046EPSS
Exploits0References28
Debian CVE
Debian CVE
added 2017/08/31 4:0 p.m.50 views

CVE-2017-14063

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS7.5AI score0.03046EPSS
Exploits0
Veracode
Veracode
added 2017/08/31 5:28 a.m.26 views

Malicious Host Redirect

async-http-client is vulnerable to malicious host redirects. The library interprets the ? character in a URL as the beginning of a query or an ending of a path, allowing a malicious user to cause the application to connect to a malicious host...

7.5CVSS7.4AI score0.03046EPSS
Exploits0References54Affected Software1
UbuntuCve
UbuntuCve
added 2015/06/24 4:59 p.m.29 views

CVE-2013-7397

Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...

4.3CVSS7.2AI score0.00993EPSS
Exploits0References2
Rows per page
Query Builder