CVE-2013-4366

moderate-risk
Published 2017-10-30

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Do I need to act?

~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Httpclient
Httpclient
Httpclient
Httpclient

Affected Vendors

Apache

References (4)

Issue Tracking http://svn.apache.org/r1528614
Issue Tracking http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
Issue Tracking http://svn.apache.org/r1528614
Issue Tracking http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 10/34 · Low