Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.asynchttpclient/async-http-client@2.1.0
Typemaven
Namespaceorg.asynchttpclient
Nameasync-http-client
Version2.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.14.5
Latest_non_vulnerable_version3.0.10
Affected_by_vulnerabilities
0
url VCID-su1f-sa1r-e7gp
vulnerability_id VCID-su1f-sa1r-e7gp
summary The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53990.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53990.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53990
reference_id
reference_type
scores
0
value 0.00441
scoring_system epss
scoring_elements 0.63651
published_at 2026-06-11T12:55:00Z
1
value 0.00441
scoring_system epss
scoring_elements 0.63764
published_at 2026-06-14T12:55:00Z
2
value 0.00441
scoring_system epss
scoring_elements 0.63766
published_at 2026-06-13T12:55:00Z
3
value 0.00441
scoring_system epss
scoring_elements 0.63752
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53990
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53990
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53990
3
reference_url https://github.com/AsyncHttpClient/async-http-client
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/AsyncHttpClient/async-http-client
4
reference_url https://github.com/AsyncHttpClient/async-http-client/blob/main/CHANGES.md#from-20-to-21
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/AsyncHttpClient/async-http-client/blob/main/CHANGES.md#from-20-to-21
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53990
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53990
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089228
reference_id 1089228
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089228
7
reference_url https://github.com/AsyncHttpClient/async-http-client/issues/1964
reference_id 1964
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-04T17:04:19Z/
url https://github.com/AsyncHttpClient/async-http-client/issues/1964
8
reference_url https://github.com/AsyncHttpClient/async-http-client/pull/2033
reference_id 2033
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-04T17:04:19Z/
url https://github.com/AsyncHttpClient/async-http-client/pull/2033
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2330004
reference_id 2330004
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2330004
10
reference_url https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425
reference_id d5a83362f7aed81b93ebca559746ac9be0f95425
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-04T17:04:19Z/
url https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425
11
reference_url https://github.com/advisories/GHSA-mfj5-cf8g-g2fv
reference_id GHSA-mfj5-cf8g-g2fv
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mfj5-cf8g-g2fv
12
reference_url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv
reference_id GHSA-mfj5-cf8g-g2fv
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-04T17:04:19Z/
url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv
13
reference_url https://access.redhat.com/errata/RHSA-2025:1078
reference_id RHSA-2025:1078
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1078
fixed_packages
0
url pkg:maven/org.asynchttpclient/async-http-client@2.12.4
purl pkg:maven/org.asynchttpclient/async-http-client@2.12.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-vf1m-dhav-nybd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@2.12.4
1
url pkg:maven/org.asynchttpclient/async-http-client@3.0.1
purl pkg:maven/org.asynchttpclient/async-http-client@3.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-vf1m-dhav-nybd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@3.0.1
aliases CVE-2024-53990, GHSA-mfj5-cf8g-g2fv
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-su1f-sa1r-e7gp
1
url VCID-vf1m-dhav-nybd
vulnerability_id VCID-vf1m-dhav-nybd
summary The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40490.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40490.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40490
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21957
published_at 2026-06-14T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21969
published_at 2026-06-12T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21981
published_at 2026-06-13T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.2178
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40490
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40490
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40490
3
reference_url https://github.com/AsyncHttpClient/async-http-client
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/AsyncHttpClient/async-http-client
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40490
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40490
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134337
reference_id 1134337
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134337
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459390
reference_id 2459390
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459390
7
reference_url https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8
reference_id 6b2fbb7f8
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8
8
reference_url https://github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae
reference_id ae557ad35246721c09dafb2976609cd0004e78ae
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae
9
reference_url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5
reference_id async-http-client-project-2.14.5
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5
10
reference_url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9
reference_id async-http-client-project-3.0.9
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9
11
reference_url https://github.com/advisories/GHSA-cmxv-58fp-fm3g
reference_id GHSA-cmxv-58fp-fm3g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cmxv-58fp-fm3g
12
reference_url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
reference_id GHSA-cmxv-58fp-fm3g
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
fixed_packages
0
url pkg:maven/org.asynchttpclient/async-http-client@2.14.5
purl pkg:maven/org.asynchttpclient/async-http-client@2.14.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@2.14.5
1
url pkg:maven/org.asynchttpclient/async-http-client@3.0.9
purl pkg:maven/org.asynchttpclient/async-http-client@3.0.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@3.0.9
aliases CVE-2026-40490, GHSA-cmxv-58fp-fm3g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vf1m-dhav-nybd
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@2.1.0