CVE-2013-4366 — Hostname verification in Apache HttpClient 4.3 was disabled by default

Description

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

How to fix CVE-2013-4366

To remediate CVE-2013-4366, upgrade the affected package to a fixed version below.

Debian/httpcomponents-client—upgrade to 4.3.2-1 or later
—upgrade to 4.3.1 or later

Is CVE-2013-4366 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.3.2-1
>= 4.3, < 4.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4366
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4366
WEBgithub.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66
WEBsvn.apache.org/r1528614