Details
-
Dependency upgrade
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
-
None
Description
The following vulnerabilities are fixed with an upgrade:
CVE-2011-1498
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header. Snyk.io details
CVE-2012-6153
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. Snyk.io details
CVE-2014-3577
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header. Snyk.io details
CVE-2015-5262
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. Snyk.io details
HTTPCLIENT-1803
Affected versions of the package are vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. Snyk.io details
Discovered with Snyk.io scan.
Attachments
Issue Links
- relates to
-
HTTPCLIENT-1803 Malformed path not handled well
-
- Closed
-
-
-
- Closed
-
- links to
