A vulnerability has been found in Apache HttpClient up to 4.3.0 and classified as very critical. Affected by this vulnerability is an unknown function of the file http/impl/client/HttpClientBuilder.java. The manipulation of the argument X509HostnameVerifier with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

The bug was discovered 06/12/2013. The weakness was disclosed 10/30/2017 (Website). It is possible to read the advisory at svn.apache.org. This vulnerability is known as CVE-2013-4366 since 06/12/2013. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 12/02/2019).

The vulnerability was handled as a non-public zero-day exploit for at least 1601 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version 4.3.1 eliminates this vulnerability.

Productinfo

Vendor

• Apache

Name

• HttpClient

Version

• 4.0
• 4.1
• 4.2
• 4.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion