Main Vulnerability Database Vulnerabilities #VU37997

Input validation error in httpclient - CVE-2013-4366

Published: October 30, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37997

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2013-4366

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nahi

Affected software:
httpclient

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

How to mitigate CVE-2013-4366

Install update from vendor's website.

Sources

http://svn.apache.org/r1528614
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt

Input validation error in httpclient - CVE-2013-4366

Detailed vulnerability description

How to mitigate CVE-2013-4366

Sources

Please verify you're human