Hostname verification in Apache HttpClient 4.3 was disabled by default

RSS Feed CRITICAL

GHSA-pqwh-44jj-p5rm CVE-2013-4366

Description:

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
maven	`org.apache.httpcomponents:httpclient`	`>= 4.3, < 4.3.1`	`4.3.1`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	May 13, 2022 about 4 years ago
Updated:	June 20, 2026 about 3 hours ago
CVSS Score:	9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS:	2.18% 80th percentile
Source:	Github
Classification:	GENERAL
UUID:	`GSA_kwCzR0hTQS1wcXdoLTQ0amotcDVybc4AAQXh`

References

https://nvd.nist.gov/vuln/detail/CVE-2013-4366
http://svn.apache.org/r1528614
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
https://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66
https://github.com/advisories/GHSA-pqwh-44jj-p5rm

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot