org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
oryginał ENAV:N/AC:M/Au:N/C:P/I:P/A:NApache Httpasyncclient
APPApache4.0 – 4.0.1Apache Httpclient
APPApache4.0 – 4.3.4
Powiązane podatności
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509Hostn...
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to acc...
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management a...
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in...
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the htt...