CVE-2013-7398
async-http-client: missing hostname verification for SSL certificates
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.
main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitrión durante la verificación de los certificados X.509, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS a través de un certificado válido arbitrario.
It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. The following security fixes are addressed in this release: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle attacker could use this flaw to spoof a valid certificate. It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-08-25 CVE Reserved
- 2015-04-17 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (12)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0850.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-0851.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1176.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2015-1551.html | 2023-11-07 | |
| https://github.com/AsyncHttpClient/async-http-client/issues/197 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2013-7398 | 2015-08-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1133773 | 2015-08-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Async-http-client Project Search vendor "Async-http-client Project" | Async-http-client Search vendor "Async-http-client Project" for product "Async-http-client" | <= 1.9.0 Search vendor "Async-http-client Project" for product "Async-http-client" and version " <= 1.9.0" | beta24 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | <= 6.1.0 Search vendor "Redhat" for product "Jboss Fuse" and version " <= 6.1.0" | - |
Affected
| ||||||