CVE CWE: 20
Description from CVE
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
The async-http-client package is vulnerable to Improper Input Validation. The parse() and splitUrlAndQuery() functions in UriParser.class don't properly parse URLs that contain question marks. An attacker can exploit this behavior to get the vulnerable application to connect to a different host than intended.
Advisory Deviation Notice: The Sonatype security research team discovered that the fix for this vulnerability was actually fixed in 2.0.35 for 2.0.x series and in 2.1.0-alpha24 for 2.1.x series instead of just 2.0.35 as stated in the advisory.
The application is vulnerable by using this component.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
grizzly-http-client-1.14.jar <= UriParser.class : [1.9.0-BETA11 , )