Find, fix and prevent vulnerabilities in your code.
medium severity
- Vulnerable module: commons-httpclient:commons-httpclient
- Introduced through: commons-httpclient:commons-httpclient@3.1
Detailed paths
-
Introduced through: geektcp/mosheh@geektcp/mosheh#17919258db023f438192ceee30430bc10a061680 › commons-httpclient:commons-httpclient@3.1
Overview
commons-httpclient:commons-httpclient is a HttpClient component of the Apache HttpComponents project.
Affected versions of this package are vulnerable to Improper Certificate Validation due to not verifying that the requesting server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
NOTE: This plugin has been deprecated, but a fix has been released in version 3.1-jenkins-3 on a special Jenkins fork of the project.
Remediation
Upgrade commons-httpclient:commons-httpclient to version 3.1-jenkins-3 or higher.
References
medium severity
- Vulnerable module: commons-httpclient:commons-httpclient
- Introduced through: commons-httpclient:commons-httpclient@3.1
Detailed paths
-
Introduced through: geektcp/mosheh@geektcp/mosheh#17919258db023f438192ceee30430bc10a061680 › commons-httpclient:commons-httpclient@3.1
Overview
commons-httpclient:commons-httpclient is a HttpClient component of the Apache HttpComponents project.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) due to not verifing the requesting server's hostname agains existing domain names in the SSL Certificate. The AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.
NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Remediation
There is no fixed version for commons-httpclient:commons-httpclient.
References
low severity
- Vulnerable module: commons-codec:commons-codec
- Introduced through: commons-httpclient:commons-httpclient@3.1
Detailed paths
-
Introduced through: geektcp/mosheh@geektcp/mosheh#17919258db023f438192ceee30430bc10a061680 › commons-httpclient:commons-httpclient@3.1 › commons-codec:commons-codec@1.2
Overview
commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.
Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.
Remediation
Upgrade commons-codec:commons-codec to version 1.13 or higher.