CVE-2013-7397 async-http-client


2017-12-30 18:03
2017-12-29 23:00
2017-12-29 21:03
2017-06-18 07:03
2017-06-16 19:08
2017-04-01 19:11
2017-01-05 20:16


Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
buster async-http-client 1.6.5-3
jessie async-http-client 1.6.5-3
sid async-http-client 1.6.5-3
stretch async-http-client 1.6.5-3
wheezy async-http-client None