CVSS: 5.8EPSS: 1%CPEs: 2EXPL: 0CVE-2013-7397 – async-http-client: SSL/TLS certificate verification is disabled under certain conditions
https://notcve.org/view.php?id=CVE-2013-7397
17 Apr 2015 — Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 salta la verificación los certi... • http://openwall.com/lists/oss-security/2014/08/26/1 • CWE-295: Improper Certificate Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.8EPSS: 1%CPEs: 2EXPL: 0CVE-2013-7398 – async-http-client: missing hostname verification for SSL certificates
https://notcve.org/view.php?id=CVE-2013-7398
17 Apr 2015 — main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitrión durante la verif... • http://openwall.com/lists/oss-security/2014/08/26/1 • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-345: Insufficient Verification of Data Authenticity •