CVE-2013-7397
Insufficient Verification of Data Authenticity in Async Http Client
EPSS 1.1%
Description
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.
How to fix CVE-2013-7397
To remediate CVE-2013-7397, upgrade the affected package to a fixed version below.
- Debian/async-http-client—upgrade to 1.6.5-3 or later
- —upgrade to 1.9.0 or later
Is CVE-2013-7397 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.6.5-3
- from 0, < 1.9.0