Server Side Request Forgery (SSRF) Affecting org.asynchttpclient:async-http-client package, versions [,2.0.35)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
3.05% (86th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGASYNCHTTPCLIENT-31611
  • published27 Sept 2017
  • disclosed28 Aug 2017
  • creditNicolas Grégoire

Introduced: 28 Aug 2017

CVE-2017-14063  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade org.asynchttpclient:async-http-client to version 2.0.35 or higher.

Overview

org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

CVSS Base Scores

version 3.1