CVE-2013-7398 - OpenCVE

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Async-http-client Project	Async-http-client
Redhat	Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:async-http-client_project:async-http-client:*:beta24:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:*

References

Link	Resource
http://openwall.com/lists/oss-security/2014/08/26/1
http://rhn.redhat.com/errata/RHSA-2015-0850.html
http://rhn.redhat.com/errata/RHSA-2015-0851.html
http://rhn.redhat.com/errata/RHSA-2015-1176.html
http://rhn.redhat.com/errata/RHSA-2015-1551.html
http://www.securityfocus.com/bid/69317
https://github.com/AsyncHttpClient/async-http-client/issues/197	Vendor Advisory
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-24T16:00:00

Updated: 2020-12-16T05:06:36

Reserved: 2014-08-25T00:00:00

Link: CVE-2013-7398

JSON object: View

NVD Information

Status : Modified

Published: 2015-06-24T16:59:01.280

Modified: 2023-11-07T02:18:03.143

Link: CVE-2013-7398

JSON object: View

Redhat Information

No data.

CWE

CWE-345

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-16T05:06:36", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "69317", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/69317"}, {"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:1176", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AsyncHttpClient/async-http-client/issues/197"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20"}, {"name": "[oss-security] 20140825 Re: CVE Request: Multiple issues in com.ning:async-http-client", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/08/26/1"}, {"name": "RHSA-2015:1551", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1551.html"}, {"name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}, {"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "69317", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69317"}, {"name": "RHSA-2015:0850", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:1176", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"name": "https://github.com/AsyncHttpClient/async-http-client/issues/197", "refsource": "CONFIRM", "url": "https://github.com/AsyncHttpClient/async-http-client/issues/197"}, {"name": "RHSA-2015:0851", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20", "refsource": "CONFIRM", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20"}, {"name": "[oss-security] 20140825 Re: CVE Request: Multiple issues in com.ning:async-http-client", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/08/26/1"}, {"name": "RHSA-2015:1551", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1551.html"}, {"name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"}, {"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7398", "datePublished": "2015-06-24T16:00:00", "dateReserved": "2014-08-25T00:00:00", "dateUpdated": "2020-12-16T05:06:36", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:async-http-client_project:async-http-client:*:beta24:*:*:*:*:*:*", "matchCriteriaId": "7316393E-F184-4521-B9A8-7C2F8032732E", "versionEndIncluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:*", "matchCriteriaId": "882CD859-9180-4AF7-A5E1-9CAB574CA667", "versionEndIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate."}, {"lang": "es", "value": "main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (tambi\u00e9n conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitri\u00f3n durante la verificaci\u00f3n de los certificados X.509, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS a trav\u00e9s de un certificado v\u00e1lido arbitrario."}], "id": "CVE-2013-7398", "lastModified": "2023-11-07T02:18:03.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-24T16:59:01.280", "references": [{"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2014/08/26/1"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-1551.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/69317"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/AsyncHttpClient/async-http-client/issues/197"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}