CVE-2011-1498 — Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient

Description

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

How to fix CVE-2011-1498

To remediate CVE-2011-1498, upgrade the affected package to a fixed version below.

Debian/httpcomponents-client—upgrade to 4.1.1-1 or later
Maven/org.apache.httpcomponents:httpclient—upgrade to 4.1.1 or later

Is CVE-2011-1498 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.1-1
>= 4.0.0, < 4.1.1

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1498
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-1498
PATCHgithub.com/apache/httpcomponents-client
WEBlists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html