Input validation error in httpclient

#VU37997 Input validation error in httpclient

Published: 2017-10-30 | Updated: 2020-08-08

Vulnerability identifier: #VU37997

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4366

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
httpclient
Other software / Other software solutions

Vendor: nahi

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Mitigation
Install update from vendor's website.

Vulnerable software versions

httpclient: 4.3

External links
http://svn.apache.org/r1528614
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Voice Gateway

Input validation error in nahi httpclient