Lucene search
K

11 matches found

Debian CVE
Debian CVE
added 2026/06/22 4:40 p.m.6 views

CVE-2026-54280

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause...

7.5CVSS5.8AI score0.00281EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/15 8:20 p.m.22 views

Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient

Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear Authorization, authusername, authpassword, or authmode when the redirect target changes origin. As ...

5.3AI score0.00034EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/05 7:32 p.m.33 views

CVE-2026-45300 async-http-client: Cookie header not stripped on cross-origin redirect

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak Cookie headers to cross-origin redirect targets. When following a redirect to a...

7.4CVSS0.00322EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/18 1:31 a.m.3 views

CVE-2026-40490

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

6.8CVSS6AI score0.00326EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/04/18 1:31 a.m.28 views

CVE-2026-40490 AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

6.8CVSS0.00326EPSS
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/04/14 1:7 a.m.6 views

com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.3-rc.1), com.arpnetworking.metrics:mad-experimental (>=1.2.4 <=1.2.11) +66 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.7)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.2.4, =1.22.5, =1.13.8, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =1.17.0, =1.17.0, =1.17.0, =0.5.0, =2.7.3, =218.0.0, =14.5.0, =16.0.0 and more Source cves: CVE-2026-40490 Source advisory: SNYK:JAVA-ORGASYNCHTTPCLIENT-16032254...

6.8CVSS5.7AI score0.00326EPSS
Exploits0
Cvelist
Cvelist
added 2026/04/01 8:28 p.m.23 views

CVE-2026-34525 AIOHTTP: Duplicate Host header accepted

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4...

6.3CVSS0.00288EPSS
Exploits0References4
OSV
OSV
added 2024/12/02 6:15 p.m.3 views

DEBIAN-CVE-2024-53990

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore aka cookie jar will silently replace explicitly defined Cookies with any that ha...

9.2CVSS7.9AI score0.00587EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2024/09/20 12:15 a.m.3 views

CVE-2024-45810

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling sendLocalReply under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the sendLocalReply in http async client, one...

7.5CVSS5.8AI score0.00637EPSS
Exploits1References2Affected Software1
RedHat Linux
RedHat Linux
added 2018/09/11 7:53 a.m.5 views

async-http-client: Invalid URL parsing with '?'

Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...

7.5CVSS7.3AI score0.03046EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2015/08/05 4:20 p.m.6 views

async-http-client: SSL/TLS certificate verification is disabled under certain conditions

It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle MITM attacker could use this flaw to spoof a valid certificate...

4.3CVSS5.7AI score0.00993EPSS
Exploits0References4
Rows per page
Query Builder