Vulnerability in Async Http Client Affecting Various Platforms
CVE-2017-14063

7.5HIGH

Key Information:

Vendor

Asynchttpclient Project

Status
Async-http-client
Vendor
CVE Published:
31 August 2017

What is CVE-2017-14063?

A vulnerability exists in Async Http Client that allows an attacker to manipulate the URI fragment identifier. If a '?' character is present, the library may connect to a different host than intended. This could lead to security implications such as man-in-the-middle attacks or data leakage, especially when handling sensitive information. This highlights the importance of rigorous validation in network request processing.

References

https://github.com/AsyncHttpClient/async-http-client/issu...
x_refsource_MISC
https://access.redhat.com/errata/RHSA-2018:2669
vendor-advisoryx_refsource_REDHAT
http://openwall.com/lists/oss-security/2017/08/31/4
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.