Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2017-14063
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL..
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 5/10
- Exploit Score
- 10/10
- Access Vector
- Network
- Access Complexity
- Low
- Authentication Required
- None
- Impact Score
- 2.9/10
- Confidentiality Impact
- None
- Availability Impact
- None
- Integrity Impact
- Partial
CVSSv3.1 Score
- Severity
- High
- Base Score
- 7.5/10
- Exploit Score
- 3.9/10
- Access Vector
- Network
- Access Complexity
- Low
- Privileges Required
- None
- Impact Score
- 3.6/10
- Confidentiality Impact
- None
- Availability Impact
- None
- Integrity Impact
- High
- Scope
- Unchanged
- User Interaction
- None
Products Affected
CPE | Affected | Vulnerable | Excluding | Edit |
---|---|---|---|---|
cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*: |
Yes
|
- | 2.0.35 |
References
- https://github.com/AsyncHttpClient/async-http-client/issues/1455
- http://openwall.com/lists/oss-security/2017/08/31/4
- https://access.redhat.com/errata/RHSA-2018:2669
- https://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a416
- https://lists.apache.org/thread.html/r79d9bab405414af45568c4683386f5e9fd02c10ca87ffa2ee3
- https://lists.apache.org/thread.html/re2510852c4a1f635b14b35e5dfd7597076928e723ab08559ed
- https://lists.apache.org/thread.html/r04b15fd898a6b1612153543375daaa8145a0fd1804ec9fa2e0
- https://lists.apache.org/thread.html/rcb46acc25917e01ebecca132e870da9ab935d5796686ed8a27
- https://lists.apache.org/thread.html/r7046a51116207588e36ca8c2e291327e391dae40712d267117
- https://lists.apache.org/thread.html/r7879a48644f708be0529bd39f0679ad3ad951f3dc24442878a
- https://lists.apache.org/thread.html/r683d78c6d7a15659f2bb82dd4120dab8c45a870eaa7f1a15cc
- https://lists.apache.org/thread.html/re7367895ccbf64523efcd39a9181baf2eaa30b069d8d649685
- https://lists.apache.org/thread.html/rfd823a733b02cffbef5a69953fdcbed2d1d0afad5e1ea4e96f
- https://lists.apache.org/thread.html/r9ea5d489e004b40baf73880c4e11dd4de24b799d15e091e1f4
- https://lists.apache.org/thread.html/rbbad61e1ba5b21e234a6664963618acfee237af754eb20300d
- https://lists.apache.org/thread.html/r3df4b7ccc363b4850a24842138117aa4451b875bc4773a845b
- https://lists.apache.org/thread.html/r868875e67494a18d31e88cba2672f45c3fc6708ffdde445723
- https://lists.apache.org/thread.html/r4ebb9596d890f3528630492bd78237b3eef06f093bac238a0d
- https://lists.apache.org/thread.html/rbc4fbb06ccb10e26e6064f57f6bd4935eabe2d18a0cb9a7183
- https://lists.apache.org/thread.html/rc550b8955b37b40fee18db99f167337c41c930d8c3763b9631
- https://lists.apache.org/thread.html/r5f794dc07913c5f2ec08f540813b40e61b562d36f8b1f916e8
- https://lists.apache.org/thread.html/r41a0e2c36f7d1854a4d56cb1e4aa720ef501782d887ece1c9b
- https://lists.apache.org/thread.html/r5b8666c4414500ff6e993bfa69cb6afa19b1b67c4585a045c0
- https://lists.apache.org/thread.html/r0a6b6429a7558051dbb70bd06584b4b1c334a80ec9203d3d39
- https://lists.apache.org/thread.html/rfe55d83e4070bcc9285bbbf6bc39635dbcbba6d14d89aab0f3
- https://lists.apache.org/thread.html/r5f07c30721503d4c02d5451f77a611a1a0bb2a94ddcdf071c9
- https://lists.apache.org/thread.html/r14a74d204f285dd3a4fa203de6dbb4e741ddb7fdfff7915590
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7