Insecure Hostname Verification Defaults

2017-06-2620:23:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.001 Low

EPSS

Percentile

45.2%

JSON

httpclient has insecure hostname verification defaults. If a X509HostnameVerifier is not provided, httpclient would default to having no hostname verification.

CPENameOperatorVersion
apache httpclientle4.3

CPE	Name	Operator	Version
	apache httpclient	le	4.3

References

svn.apache.org/r1528614

www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt

github.com/apache/httpcomponents-client/blob/f209636622350700e0cedb06a7a664dff3eae527/RELEASE_NOTES.txt#L16

github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66a

0.001 Low

EPSS

Percentile

45.2%

JSON

Related for VERACODE:4481