The vulnerability of the RequestBuilder class in the CookieStore interface of the asynchronous HTTP request processing library Async Http Client allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the RequestBuilder class in the CookieStore interface of the asynchronous HTTP request processing library Async Http Client is related to the replacement of cookie files due to incorrect authentication procedures. Exploiting this vulnerability can allow an attacker operating...

io.github.shoothzj:http-client-facade (=0.0.1), io.github.taikonaut3:virtue-demo (>=0.0.1-alpha <=1.0.0-alpha) +7 more potentially affected by CVE-2024-53990 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.0.Beta3)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =0.0.1-alpha, =0.3.1, =0.0.1, =3.0.0-M2, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-RC2 Source cves: CVE-2024-53990 Source advisory: OSV:GHSA-MFJ5-CF8G-G2FV...

UBUNTU-CVE-2024-53990

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore aka cookie jar will silently replace explicitly defined Cookies with any that ha...

Async Http Client 授权问题漏洞

Async Http Client is AsyncHttpClient open source asynchronous Http and WebSocket client library for Java. An authorization issue vulnerability exists in Async Http Client version 3.0.0, which stems from an automatically enabled and self-managed CookieStore handling mechanism that can lead to...

Security Bulletin: Vulnerability in Async Http Client affects IBM watsonx.data

Summary Async Http Client aka async-http-client could allow a remote attacker to bypass security restrictions, caused by the failure to parse the fragment identifier of the URL when handling '?' character. By using a specially-crafted URL with '?' character, an attacker could exploit this...

Security Bulletin: Vulnerability in Async Http Client affects IBM watsonx.data

Summary Async Http Client aka async-http-client could allow a remote attacker to bypass security restrictions, caused by the failure to parse the fragment identifier of the URL when handling '?' character. By using a specially-crafted URL with '?' character, an attacker could exploit this...

CVE-2024-34364

Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory OOM vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer...

Async HTTP Client has CRLF Injection vulnerability in HTTP request headers

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

GHSA-V3R5-PJPM-MWGQ Async HTTP Client has CRLF Injection vulnerability in HTTP request headers

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

Async HTTP Client has CRLF Injection vulnerability in HTTP request headers

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

CVE-2023-0040

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

CVE-2023-0040

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

Crlf injection

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

CVE-2023-0040

CVE-2023-0040 affects Async HTTP Client prior to 1.13.2. The root cause is insufficient validation of HTTP header field values, enabling CRLF injection that can inject new HTTP header fields or requests into the data stream. Impact described in the connected documents notes that remote servers ma...

CVE-2023-0040

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...

au.com.dius.pact:au.com.dius.pact.gradle.plugin (>=2.1.1 <=2.1.12), au.com.dius:pact-jvm-consumer-groovy-v3_2.10 (>=2.2.11 <=2.2.15) +1354 more potentially affected by CVE-2013-7398 via com.ning:async-http-client (>=1.0.0 <=1.9.0-BETA6)

com.ning:async-http-client MAVEN version =1.0.0, =2.1.1, =2.2.11, =2.2.11, =2.0.0, =2.0.0, =2.0-RC3, =2.0.0, =2.0.0, =2.0.4, =2.0-RC3, =2.0.0, =1.11, =2.0.0, =2.0.5, =2.0.5, =3.2.1 and more Source cves: CVE-2013-7398 Source advisory: OSV:GHSA-5C66-6H6G-6Q6M...

au.com.dius.pact:au.com.dius.pact.gradle.plugin (>=2.1.1 <=2.1.12), au.com.dius:pact-jvm-consumer-groovy-v3_2.10 (>=2.2.11 <=2.2.15) +1354 more potentially affected by CVE-2013-7397 via com.ning:async-http-client (>=1.0.0 <=1.9.0-BETA6)

com.ning:async-http-client MAVEN version =1.0.0, =2.1.1, =2.2.11, =2.2.11, =2.0.0, =2.0.0, =2.0-RC3, =2.0.0, =2.0.0, =2.0.4, =2.0-RC3, =2.0.0, =1.11, =2.0.0, =2.0.5, =2.0.5, =3.2.1 and more Source cves: CVE-2013-7397 Source advisory: OSV:GHSA-8H53-FJGG-G42G...

GHSA-5C66-6H6G-6Q6M Insufficient Verification of Data Authenticity in Async Http Client

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...

GHSA-8H53-FJGG-G42G Insufficient Verification of Data Authenticity in Async Http Client

Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...

Insufficient Verification of Data Authenticity in Async Http Client

Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...