VulnerableCode Package Details - pkg:deb/debian/httpcomponents-client@4.5.14-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2phd-tw5c-xbdb	http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.	CVE-2013-4366 GHSA-pqwh-44jj-p5rm
VCID-3bxq-vmjj-kqfe	org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.	CVE-2014-3577 GHSA-cfh5-3ghh-wfjx
VCID-3ur6-9s61-13a3	http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.	CVE-2015-5262 GHSA-fmj5-wv96-r2ch
VCID-amws-s4rx-n7fb	Apache HttpClient disables domain checks A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.	CVE-2025-27820 GHSA-73m2-qfq3-56cx
VCID-j6a3-452x-7khn	Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.	CVE-2026-40542 GHSA-v468-qcjx-r72w
VCID-mrdq-9pb2-3qb5	Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.	CVE-2020-13956 GHSA-7r82-7xv7-xcpj
VCID-qyy2-d6f6-gbaq	Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.	CVE-2011-1498 GHSA-gw85-4gmf-m7rh

Vulnerability

Summary

Aliases

VCID-2phd-tw5c-xbdb

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

CVE-2013-4366
GHSA-pqwh-44jj-p5rm

VCID-3bxq-vmjj-kqfe

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

CVE-2014-3577
GHSA-cfh5-3ghh-wfjx

VCID-3ur6-9s61-13a3

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

CVE-2015-5262
GHSA-fmj5-wv96-r2ch

VCID-amws-s4rx-n7fb

Apache HttpClient disables domain checks A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.

CVE-2025-27820
GHSA-73m2-qfq3-56cx

VCID-j6a3-452x-7khn

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

CVE-2026-40542
GHSA-v468-qcjx-r72w

VCID-mrdq-9pb2-3qb5

Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

CVE-2020-13956
GHSA-7r82-7xv7-xcpj

VCID-qyy2-d6f6-gbaq

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

CVE-2011-1498
GHSA-gw85-4gmf-m7rh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-02T06:40:15.268354+00:00	Debian Importer	Fixing	VCID-3ur6-9s61-13a3	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T06:39:15.631794+00:00	Debian Importer	Fixing	VCID-amws-s4rx-n7fb	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T06:18:11.200432+00:00	Debian Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:57:50.605337+00:00	Debian Importer	Fixing	VCID-mrdq-9pb2-3qb5	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:25:15.681603+00:00	Debian Importer	Fixing	VCID-3bxq-vmjj-kqfe	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:08:31.601289+00:00	Debian Importer	Fixing	VCID-2phd-tw5c-xbdb	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T21:55:12.877195+00:00	Debian Importer	Fixing	VCID-j6a3-452x-7khn	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-04-29T12:44:41.143564+00:00	Debian Importer	Fixing	VCID-j6a3-452x-7khn	https://security-tracker.debian.org/tracker/data/json	38.5.0
2026-04-23T05:40:35.132424+00:00	Debian Importer	Fixing	VCID-j6a3-452x-7khn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:43:16.619796+00:00	Debian Importer	Fixing	VCID-amws-s4rx-n7fb	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:36:52.072209+00:00	Debian Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:34:43.163826+00:00	Debian Importer	Fixing	VCID-3ur6-9s61-13a3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:21:39.622685+00:00	Debian Importer	Fixing	VCID-mrdq-9pb2-3qb5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:17:00.152115+00:00	Debian Importer	Fixing	VCID-2phd-tw5c-xbdb	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:21:51.282083+00:00	Debian Importer	Fixing	VCID-3bxq-vmjj-kqfe	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:43:19.638146+00:00	Debian Importer	Fixing	VCID-amws-s4rx-n7fb	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:38:30.188099+00:00	Debian Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:36:52.732820+00:00	Debian Importer	Fixing	VCID-3ur6-9s61-13a3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:58:42.203553+00:00	Debian Importer	Fixing	VCID-mrdq-9pb2-3qb5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:55:07.525463+00:00	Debian Importer	Fixing	VCID-2phd-tw5c-xbdb	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:15:14.786061+00:00	Debian Importer	Fixing	VCID-3bxq-vmjj-kqfe	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:26:39.399287+00:00	Debian Importer	Fixing	VCID-amws-s4rx-n7fb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:26:39.371208+00:00	Debian Importer	Fixing	VCID-mrdq-9pb2-3qb5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:26:39.342882+00:00	Debian Importer	Fixing	VCID-3ur6-9s61-13a3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:26:39.314157+00:00	Debian Importer	Fixing	VCID-3bxq-vmjj-kqfe	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:26:39.284185+00:00	Debian Importer	Fixing	VCID-2phd-tw5c-xbdb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:26:39.252478+00:00	Debian Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://security-tracker.debian.org/tracker/data/json	38.1.0