Uploaded image for project: 'Mule'
  1. Mule
  2. MULE-16154

Fix vulnerability in AHC fork

    Details

    • Story Points:
      0

      Description

      Weakness
      CVE CWE: 20
      Description from CVE
      Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
      Explanation
      The async-http-client package is vulnerable to Improper Input Validation. The parse() and splitUrlAndQuery() functions in UriParser.class don't properly parse URLs that contain question marks. An attacker can exploit this behavior to get the vulnerable application to connect to a different host than intended.
      Advisory Deviation Notice: The Sonatype security research team discovered that the fix for this vulnerability was actually fixed in 2.0.35 for 2.0.x series and in 2.1.0-alpha24 for 2.1.x series instead of just 2.0.35 as stated in the advisory.
      Detection
      The application is vulnerable by using this component.
      Recommendation
      We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
      Categories
      Data
      Root Cause
      grizzly-http-client-1.14.jar <= UriParser.class : [1.9.0-BETA11 , )

        Attachments

          Activity

            People

            • Assignee:
              fgonz Fabian Gonzalez
              Reporter:
              fgonz Fabian Gonzalez
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: