Server Side Request Forgery (SSRF) Affecting org.asynchttpclient:async-http-client package, versions [,2.0.35)


0.0
high
  • Attack Complexity

    Low

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGASYNCHTTPCLIENT-31611

  • published

    27 Sep 2017

  • disclosed

    28 Aug 2017

  • credit

    Nicolas Grégoire

How to fix?

Upgrade org.asynchttpclient:async-http-client to version 2.0.35 or higher.

Overview

org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.