Uploaded image for project: 'Maven Doxia'
  1. Maven Doxia
  2. DOXIA-576

Upgrade Http Components to 4.4.11 (core) and 4.5.8 (httpclient)

    XMLWordPrintableJSON

    Details

    • Type: Dependency upgrade
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.9
    • Component/s: None
    • Labels:
      None

      Description

      The following vulnerabilities are fixed with an upgrade:

      CVE-2011-1498
      Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header. Snyk.io details

      CVE-2012-6153
      http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. Snyk.io details

      CVE-2014-3577
      Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header. Snyk.io details

      CVE-2015-5262
      http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. Snyk.io details

      HTTPCLIENT-1803
      Affected versions of the package are vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. Snyk.io details

      Discovered with Snyk.io scan.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                slachiewicz Sylwester Lachiewicz
                Reporter:
                slachiewicz Sylwester Lachiewicz
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m