Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-14063 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 5.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Fuse 7 | RHSA-2018:2669 | 2018-09-11 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Fuse Service Works 6 | async-http-client | Will not fix |
Red Hat JBoss Fuse 6 | async-http-client | Will not fix |