org.asynchttpclient:async-http-client@2.15.0

  • latest version

    3.0.11

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    21 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.asynchttpclient:async-http-client package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Sensitive Cookie with Improper SameSite Attribute

    org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

    Affected versions of this package are vulnerable to Sensitive Cookie with Improper SameSite Attribute via ThreadSafeCookieStore in ThreadSafeCookieStore.add(...). An attacker can plant a cookie for an unrelated domain by sending a response with a Set-Cookie header whose Domain attribute names a victim domain, causing the client to store that cookie and later send it on requests to the victim site. This affects applications that reuse one AsyncHttpClient cookie jar across attacker-influenced hosts and trusted hosts, such as crawlers, URL fetchers, or redirect-following clients. The result is session fixation or cookie override on the victim domain, so user requests can carry attacker-chosen cookies instead of the intended ones.

    Notes

    • Applications that share a single CookieStore across both attacker-influenced origins and trusted origins are the exposed deployment pattern; isolated per-trust-domain jars are not affected by this issue.
    • The stored cookie is not limited to the response host’s exact name: a response from one host can plant a cookie for an unrelated parent or sibling domain via the Domain attribute, so later requests to that victim domain receive the attacker-chosen value.

    Workarounds

    • Disable the cookie store by calling setCookieStore(null) when cookies are not needed; this prevents an attacker-influenced host from planting cookies that will later be sent to a trusted domain.
    • Use a separate AsyncHttpClient instance, with its own cookie store, for each trust domain; this prevents attacker-controlled hosts and trusted hosts from sharing the same cookie jar.
    • If you must keep a shared client, supply a custom CookieStore whose add(Uri, Cookie) rejects cookies whose Domain is not domain-matched by the request host; this blocks unrelated-domain cookies from being stored.

    How to fix Sensitive Cookie with Improper SameSite Attribute?

    Upgrade org.asynchttpclient:async-http-client to version 2.16.0, 3.0.11 or higher.

    [,2.16.0)[3.0.0.Beta1,3.0.11)