Server Side Request Forgery (SSRF) Affecting org.asynchttpclient:async-http-client package, versions [,2.0.35)
Threat Intelligence
EPSS
0.43% (75th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGASYNCHTTPCLIENT-31611
- published 27 Sep 2017
- disclosed 28 Aug 2017
- credit Nicolas Grégoire
Introduced: 28 Aug 2017
CVE-2017-14063 Open this link in a new tabHow to fix?
Upgrade org.asynchttpclient:async-http-client
to version 2.0.35 or higher.
Overview
org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.
Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
References
CVSS Scores
version 3.1