Httpclient Security Vulnerabilities and Issues — Httpclient CVE List

ApacheHttpclient

8 matches found

CVE•added 2020/12/02 4:20 p.m.•874 views

CVE-2020-13956

CVE-2020-13956 affects Apache HttpClient prior to 4.5.13 and 5.0.3. A malformed authority component in request URIs, when passed as a java.net.URI, can cause the client to misinterpret the target host and execute the request against an unintended host. This represents a misrouting vulnerability i...

5.3CVSS5.9AI score0.00505EPSS

CVE•added 2012/11/04 10:0 p.m.•513 views

CVE-2012-5783

Apache Commons HttpClient 3.x (as used in Amazon FPS Java SDK and related products) is affected by CVE-2012-5783: the code does not verify that the server hostname matches the CN/subjectAltName in the X.509 certificate, enabling potential MITM spoofing with arbitrary certificates. AIX advisories,...

5.8CVSS6.8AI score0.00616EPSS

CVE•added 2025/04/24 11:44 a.m.•318 views

CVE-2025-27820

CVE-2025-27820 affects Apache HttpClient 5.4.x, where a PSL validation logic bug disables domain checks, impacting cookie management and hostname verification. Root cause: PSL validation flaw in 5.4.x. Impact: as described, with potential weaknesses in hostname verification and cookie handling; C...

7.5CVSS6.9AI score0.00071EPSS

CVE•added 2014/08/21 12:0 a.m.•313 views

CVE-2014-3577

CVE-2014-3577 (Apache HttpComponents) . The vulnerability affects Apache HttpClient prior to 4.3.5 and HttpAsyncClient prior to 4.0.2 where hostname verification against the certificate’s CN or subjectAltName can fail due to an incomplete/incorrect check, enabling man-in-the-middle attackers to s...

5.8CVSS6.5AI score0.01368EPSS

CVE•added 2015/10/27 4:0 p.m.•252 views

CVE-2015-5262

CVE-2015-5262 affects Apache HttpComponents HttpClient prior to 4.3.6 where the http.socket.timeout setting is ignored during SSL handshakes, enabling potential DoS via HTTPS call hangs. IBM-connected docs reference this CVE in IBM StreamSets Data Collector 6.4.0 with a fixed release path, noting...

4.3CVSS5.2AI score0.01199EPSS

CVE•added 2011/07/07 9:0 p.m.•116 views

CVE-2011-1498

CVE-2011-1498 : Apache HttpClient (HttpComponents) 4.x release before 4.1.1 is vulnerable when used with an authenticating proxy; the Proxy-Authorization header is sent to the origin server, potentially logging sensitive credentials and exposing passwords. The description does not specify affecte...

4.3CVSS8.2AI score0.04395EPSS

CVE•added 2017/10/30 7:0 p.m.•91 views

CVE-2013-4366

CVE-2013-4366 concerns http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1, where the code does not ensure that the X509HostnameVerifier is non-null. This can allow attackers to trigger unspecified impact via vectors involving hostname verification. Connected documents...

9.8CVSS9.4AI score0.0129EPSS

CVE•added 2026/04/22 7:7 a.m.•14 views

CVE-2026-40542

Apache HttpClient 5.6 is affected by a missing step in SCRAM-SHA-256 mutual authentication, allowing a client to accept authentication without proper mutual verification. The issue impacts the 5.6 release and is fixed by upgrading to version 5.6.1. Affected component: Apache HttpClient (Java), v5...

7.3CVSS5.7AI score0.00054EPSS