Insufficient Verification of Data Authenticity Affecting com.ning:async-http-client package, versions [,1.9.0)

Threat Intelligence

0.3% (70^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-COMNING-30317
published 28 Mar 2017
disclosed 24 Jun 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 24 Jun 2015

CVE-2013-7397 Open this link in a new tab CWE-345 Open this link in a new tab

Overview

com.ning:async-http-client Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

Low
Availability (A)

None

Insufficient Verification of Data Authenticity Affecting com.ning:async-http-client package, versions [,1.9.0)

Severity

CVSS assessment made by Snyk's Security Team

Threat Intelligence

Introduced: 24 Jun 2015

Overview

References

CVSS Scores

Snyk

NVD