Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-5757

Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
    • 1.7.4
    • transports
    • Axis2 used as a Web Service Provider for an application
    • Important

    Description

      Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

      Hi

      The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1 is susceptible to CVE-2012-6153, CVE-2014-3577

      The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)

      What plans we have for Axis2 to address this Vulnerability. Will it be fixed in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would that be. Reason for this query is our application uses Axis2 and and hence exposed to this vulnerability.

      Thanks,
      Regds,
      Deepak

      Attachments

        Issue Links

        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. AXIS2-5759 Upgrade HTTPCore and HTTPClient into latest versions

        • Major - Major loss of function.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            veithen Andreas Veithen
            deepnaik Deepak
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment