CVE-2013-7397
async-http-client: SSL/TLS certificate verification is disabled under certain conditions
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.
Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 salta la verificación los certificados X.509 a no ser que tanto una localización keyStore y una localización trustStore estén configuradas explícitamente, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS mediante la presentación de un certificado arbitrario durante el uso de una configuración AHC típica, tal y como fue demostrado por una configuración que no envía certificados de cliente.
It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. The following security fixes are addressed in this release: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle attacker could use this flaw to spoof a valid certificate. It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-08-25 CVE Reserved
- 2015-04-17 CVE Published
- 2024-08-06 CVE Updated
- 2025-05-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (12)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0850.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-0851.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1176.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1551.html | 2023-11-07 | |
| https://github.com/AsyncHttpClient/async-http-client/issues/352 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2013-7397 | 2015-08-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1133769 | 2015-08-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | <= 6.1.0 Search vendor "Redhat" for product "Jboss Fuse" and version " <= 6.1.0" | - |
Affected
| ||||||
| Async-http-client Project Search vendor "Async-http-client Project" | Async-http-client Search vendor "Async-http-client Project" for product "Async-http-client" | <= 1.9.0 Search vendor "Async-http-client Project" for product "Async-http-client" and version " <= 1.9.0" | beta24 |
Affected
| ||||||