• cpe: cpe:/a:eclipse:eclipse_ide:3.8.0.v20170104   Confidence:Low   suppress

CVE-2008-7271  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

• MISC - http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide
• ...
• cpe:/a:eclipse:eclipse_ide
• cpe:/a:eclipse:eclipse_ide:3.3.2

• cpe: cpe:/a:eclipse:eclipse_ide:3.8.0.v20161203   Confidence:Low   suppress

CVE-2008-7271  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

• MISC - http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide
• ...
• cpe:/a:eclipse:eclipse_ide
• cpe:/a:eclipse:eclipse_ide:3.3.2

• cpe: cpe:/a:eclipse:eclipse_ide:3.2.300.v20161203   Confidence:Low   suppress

CVE-2008-7271  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

• MISC - http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide
• ...
• cpe:/a:eclipse:eclipse_ide
• cpe:/a:eclipse:eclipse_ide:3.3.2

CVE-2010-4647  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.

• FEDORA - FEDORA-2010-18990
• FEDORA - FEDORA-2010-19006
• MANDRIVA - MDVSA-2011:032
• MISC - http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
• MLIST - [oss-security] 20110106 CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• MLIST - [oss-security] 20110106 Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• REDHAT - RHSA-2011:0568
• XF - eclipseide-querystring-xss(64833)

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide:3.6.1 and all previous versions
• ...
• cpe:/a:eclipse:eclipse_ide:1.0
• cpe:/a:eclipse:eclipse_ide:2.0
• cpe:/a:eclipse:eclipse_ide:2.0.1
• cpe:/a:eclipse:eclipse_ide:2.0.2
• cpe:/a:eclipse:eclipse_ide:2.1
• cpe:/a:eclipse:eclipse_ide:2.1.1
• cpe:/a:eclipse:eclipse_ide:2.1.2
• cpe:/a:eclipse:eclipse_ide:2.1.3
• cpe:/a:eclipse:eclipse_ide:3.0
• cpe:/a:eclipse:eclipse_ide:3.0.1
• cpe:/a:eclipse:eclipse_ide:3.0.2
• cpe:/a:eclipse:eclipse_ide:3.1
• cpe:/a:eclipse:eclipse_ide:3.1.1
• cpe:/a:eclipse:eclipse_ide:3.1.2
• cpe:/a:eclipse:eclipse_ide:3.2
• cpe:/a:eclipse:eclipse_ide:3.2.1
• cpe:/a:eclipse:eclipse_ide:3.2.2
• cpe:/a:eclipse:eclipse_ide:3.3
• cpe:/a:eclipse:eclipse_ide:3.3.1
• cpe:/a:eclipse:eclipse_ide:3.3.1.1
• cpe:/a:eclipse:eclipse_ide:3.3.2
• cpe:/a:eclipse:eclipse_ide:3.4
• cpe:/a:eclipse:eclipse_ide:3.4.1
• cpe:/a:eclipse:eclipse_ide:3.4.2
• cpe:/a:eclipse:eclipse_ide:3.5
• cpe:/a:eclipse:eclipse_ide:3.5.1
• cpe:/a:eclipse:eclipse_ide:3.5.2
• cpe:/a:eclipse:eclipse_ide:3.6:m1
• cpe:/a:eclipse:eclipse_ide:3.6:m2
• cpe:/a:eclipse:eclipse_ide:3.6:m3
• cpe:/a:eclipse:eclipse_ide:3.6:m4
• cpe:/a:eclipse:eclipse_ide:3.6:m5
• cpe:/a:eclipse:eclipse_ide:3.6:m6
• cpe:/a:eclipse:eclipse_ide:3.6:m7
• cpe:/a:eclipse:eclipse_ide:3.6:rc1
• cpe:/a:eclipse:eclipse_ide:3.6:rc2
• cpe:/a:eclipse:eclipse_ide:3.6:rc3
• cpe:/a:eclipse:eclipse_ide:3.6:rc4
• cpe:/a:eclipse:eclipse_ide:3.6.1 and all previous versions

• cpe: cpe:/a:eclipse:eclipse_ide:1.1.200.v20170314   Confidence:Low   suppress

CVE-2008-7271  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

• MISC - http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide
• ...
• cpe:/a:eclipse:eclipse_ide
• cpe:/a:eclipse:eclipse_ide:3.3.2

CVE-2010-4647  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.

• FEDORA - FEDORA-2010-18990
• FEDORA - FEDORA-2010-19006
• MANDRIVA - MDVSA-2011:032
• MISC - http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
• MLIST - [oss-security] 20110106 CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• MLIST - [oss-security] 20110106 Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• REDHAT - RHSA-2011:0568
• XF - eclipseide-querystring-xss(64833)

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide:3.6.1 and all previous versions
• ...
• cpe:/a:eclipse:eclipse_ide:1.0
• cpe:/a:eclipse:eclipse_ide:2.0
• cpe:/a:eclipse:eclipse_ide:2.0.1
• cpe:/a:eclipse:eclipse_ide:2.0.2
• cpe:/a:eclipse:eclipse_ide:2.1
• cpe:/a:eclipse:eclipse_ide:2.1.1
• cpe:/a:eclipse:eclipse_ide:2.1.2
• cpe:/a:eclipse:eclipse_ide:2.1.3
• cpe:/a:eclipse:eclipse_ide:3.0
• cpe:/a:eclipse:eclipse_ide:3.0.1
• cpe:/a:eclipse:eclipse_ide:3.0.2
• cpe:/a:eclipse:eclipse_ide:3.1
• cpe:/a:eclipse:eclipse_ide:3.1.1
• cpe:/a:eclipse:eclipse_ide:3.1.2
• cpe:/a:eclipse:eclipse_ide:3.2
• cpe:/a:eclipse:eclipse_ide:3.2.1
• cpe:/a:eclipse:eclipse_ide:3.2.2
• cpe:/a:eclipse:eclipse_ide:3.3
• cpe:/a:eclipse:eclipse_ide:3.3.1
• cpe:/a:eclipse:eclipse_ide:3.3.1.1
• cpe:/a:eclipse:eclipse_ide:3.3.2
• cpe:/a:eclipse:eclipse_ide:3.4
• cpe:/a:eclipse:eclipse_ide:3.4.1
• cpe:/a:eclipse:eclipse_ide:3.4.2
• cpe:/a:eclipse:eclipse_ide:3.5
• cpe:/a:eclipse:eclipse_ide:3.5.1
• cpe:/a:eclipse:eclipse_ide:3.5.2
• cpe:/a:eclipse:eclipse_ide:3.6:m1
• cpe:/a:eclipse:eclipse_ide:3.6:m2
• cpe:/a:eclipse:eclipse_ide:3.6:m3
• cpe:/a:eclipse:eclipse_ide:3.6:m4
• cpe:/a:eclipse:eclipse_ide:3.6:m5
• cpe:/a:eclipse:eclipse_ide:3.6:m6
• cpe:/a:eclipse:eclipse_ide:3.6:m7
• cpe:/a:eclipse:eclipse_ide:3.6:rc1
• cpe:/a:eclipse:eclipse_ide:3.6:rc2
• cpe:/a:eclipse:eclipse_ide:3.6:rc3
• cpe:/a:eclipse:eclipse_ide:3.6:rc4
• cpe:/a:eclipse:eclipse_ide:3.6.1 and all previous versions

• maven: org.eclipse.platform:org.eclipse.equinox.p2.core:2.4.100 ✓   Confidence:Highest
• cpe: cpe:/a:eclipse:eclipse_ide:2.0   Confidence:Medium   suppress

CVE-2008-7271  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.

• MISC - http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide
• ...
• cpe:/a:eclipse:eclipse_ide
• cpe:/a:eclipse:eclipse_ide:3.3.2

CVE-2010-4647  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.

• FEDORA - FEDORA-2010-18990
• FEDORA - FEDORA-2010-19006
• MANDRIVA - MDVSA-2011:032
• MISC - http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
• MISC - https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
• MLIST - [oss-security] 20110106 CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• MLIST - [oss-security] 20110106 Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
• REDHAT - RHSA-2011:0568
• XF - eclipseide-querystring-xss(64833)

Vulnerable Software & Versions: (show all)

• cpe:/a:eclipse:eclipse_ide:2.0
• ...
• cpe:/a:eclipse:eclipse_ide:1.0
• cpe:/a:eclipse:eclipse_ide:2.0
• cpe:/a:eclipse:eclipse_ide:2.0.1
• cpe:/a:eclipse:eclipse_ide:2.0.2
• cpe:/a:eclipse:eclipse_ide:2.1
• cpe:/a:eclipse:eclipse_ide:2.1.1
• cpe:/a:eclipse:eclipse_ide:2.1.2
• cpe:/a:eclipse:eclipse_ide:2.1.3
• cpe:/a:eclipse:eclipse_ide:3.0
• cpe:/a:eclipse:eclipse_ide:3.0.1
• cpe:/a:eclipse:eclipse_ide:3.0.2
• cpe:/a:eclipse:eclipse_ide:3.1
• cpe:/a:eclipse:eclipse_ide:3.1.1
• cpe:/a:eclipse:eclipse_ide:3.1.2
• cpe:/a:eclipse:eclipse_ide:3.2
• cpe:/a:eclipse:eclipse_ide:3.2.1
• cpe:/a:eclipse:eclipse_ide:3.2.2
• cpe:/a:eclipse:eclipse_ide:3.3
• cpe:/a:eclipse:eclipse_ide:3.3.1
• cpe:/a:eclipse:eclipse_ide:3.3.1.1
• cpe:/a:eclipse:eclipse_ide:3.3.2
• cpe:/a:eclipse:eclipse_ide:3.4
• cpe:/a:eclipse:eclipse_ide:3.4.1
• cpe:/a:eclipse:eclipse_ide:3.4.2
• cpe:/a:eclipse:eclipse_ide:3.5
• cpe:/a:eclipse:eclipse_ide:3.5.1
• cpe:/a:eclipse:eclipse_ide:3.5.2
• cpe:/a:eclipse:eclipse_ide:3.6:m1
• cpe:/a:eclipse:eclipse_ide:3.6:m2
• cpe:/a:eclipse:eclipse_ide:3.6:m3
• cpe:/a:eclipse:eclipse_ide:3.6:m4
• cpe:/a:eclipse:eclipse_ide:3.6:m5
• cpe:/a:eclipse:eclipse_ide:3.6:m6
• cpe:/a:eclipse:eclipse_ide:3.6:m7
• cpe:/a:eclipse:eclipse_ide:3.6:rc1
• cpe:/a:eclipse:eclipse_ide:3.6:rc2
• cpe:/a:eclipse:eclipse_ide:3.6:rc3
• cpe:/a:eclipse:eclipse_ide:3.6:rc4
• cpe:/a:eclipse:eclipse_ide:3.6.1 and all previous versions

• maven: org.apache.httpcomponents:httpclient:4.0.1 ✓   Confidence:Highest
• cpe: cpe:/a:apache:httpclient:4.0.1   Confidence:Highest   suppress

CVE-2011-1498  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

• BID - 46974
• CERT-VN - VU#153049
• CONFIRM - http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
• CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=709531
• CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1061
• FEDORA - FEDORA-2011-7747
• MLIST - [httpclient-users] 20110224 Proxy-Authorization header received on server side
• MLIST - [httpclient-users] 20110224 RE: Proxy-Authorization header received on server side
• MLIST - [httpclient-users] 20110224 RE: Proxy-Authorization header received on server side
• MLIST - [httpclient-users] 20110224 Re: Proxy-Authorization header received on server side
• MLIST - [httpclient-users] 20110224 Re: Proxy-Authorization header received on server side
• MLIST - [oss-security] 20110407 Apache HttpClient CVE request [VU#153049]
• MLIST - [oss-security] 20110408 Re: Apache HttpClient CVE request [VU#153049]
• SREASON - 8298

Vulnerable Software & Versions: (show all)

• cpe:/a:apache:httpclient:4.0.1
• ...
• cpe:/a:apache:httpclient:4.0
• cpe:/a:apache:httpclient:4.0:alpha1
• cpe:/a:apache:httpclient:4.0:alpha2
• cpe:/a:apache:httpclient:4.0:alpha3
• cpe:/a:apache:httpclient:4.0:alpha4
• cpe:/a:apache:httpclient:4.0:beta1
• cpe:/a:apache:httpclient:4.0:beta2
• cpe:/a:apache:httpclient:4.0.1
• cpe:/a:apache:httpclient:4.1
• cpe:/a:apache:httpclient:4.1:alpha1
• cpe:/a:apache:httpclient:4.1:alpha2
• cpe:/a:apache:httpclient:4.1:beta1

CVE-2014-3577  suppress

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

• BID - 69258
• CONFIRM - https://access.redhat.com/solutions/1165533
• CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
• CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782
• FULLDISC - 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
• MISC - http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
• OSVDB - 110143
• REDHAT - RHSA-2014:1146
• REDHAT - RHSA-2014:1166
• REDHAT - RHSA-2014:1833
• REDHAT - RHSA-2014:1834
• REDHAT - RHSA-2014:1835
• REDHAT - RHSA-2014:1836
• REDHAT - RHSA-2014:1891
• REDHAT - RHSA-2014:1892
• REDHAT - RHSA-2015:0125
• REDHAT - RHSA-2015:0158
• REDHAT - RHSA-2015:0675
• REDHAT - RHSA-2015:0720
• REDHAT - RHSA-2015:0765
• REDHAT - RHSA-2015:0850
• REDHAT - RHSA-2015:0851
• REDHAT - RHSA-2015:1176
• REDHAT - RHSA-2015:1177
• SECTRACK - 1030812
• SECUNIA - 60466
• UBUNTU - USN-2769-1
• XF - apache-cve20143577-spoofing(95327)

Vulnerable Software & Versions: (show all)

• cpe:/a:apache:httpclient:4.0.1
• ...
• cpe:/a:apache:httpasyncclient:4.0
• cpe:/a:apache:httpasyncclient:4.0:alpha1
• cpe:/a:apache:httpasyncclient:4.0:alpha2
• cpe:/a:apache:httpasyncclient:4.0:alpha3
• cpe:/a:apache:httpasyncclient:4.0:beta1
• cpe:/a:apache:httpasyncclient:4.0:beta2
• cpe:/a:apache:httpasyncclient:4.0:beta3
• cpe:/a:apache:httpasyncclient:4.0:beta4
• cpe:/a:apache:httpasyncclient:4.0.1 and all previous versions
• cpe:/a:apache:httpclient:4.0
• cpe:/a:apache:httpclient:4.0:alpha1
• cpe:/a:apache:httpclient:4.0:alpha2
• cpe:/a:apache:httpclient:4.0:alpha3
• cpe:/a:apache:httpclient:4.0:alpha4
• cpe:/a:apache:httpclient:4.0:beta1
• cpe:/a:apache:httpclient:4.0:beta2
• cpe:/a:apache:httpclient:4.0.1
• cpe:/a:apache:httpclient:4.1
• cpe:/a:apache:httpclient:4.1:alpha1
• cpe:/a:apache:httpclient:4.1:alpha2
• cpe:/a:apache:httpclient:4.1:beta1
• cpe:/a:apache:httpclient:4.1.1
• cpe:/a:apache:httpclient:4.1.2
• cpe:/a:apache:httpclient:4.2
• cpe:/a:apache:httpclient:4.2:alpha1
• cpe:/a:apache:httpclient:4.2:beta1
• cpe:/a:apache:httpclient:4.2.1
• cpe:/a:apache:httpclient:4.2.2
• cpe:/a:apache:httpclient:4.2.3
• cpe:/a:apache:httpclient:4.3
• cpe:/a:apache:httpclient:4.3:alpha1
• cpe:/a:apache:httpclient:4.3:beta1
• cpe:/a:apache:httpclient:4.3:beta2
• cpe:/a:apache:httpclient:4.3.1
• cpe:/a:apache:httpclient:4.3.2
• cpe:/a:apache:httpclient:4.3.3
• cpe:/a:apache:httpclient:4.3.4 and all previous versions

CVE-2015-5262  suppress

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

• CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1626784
• CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1261538
• CONFIRM - https://issues.apache.org/jira/browse/HTTPCLIENT-1478
• FEDORA - FEDORA-2015-15588
• FEDORA - FEDORA-2015-15589
• FEDORA - FEDORA-2015-15590
• SECTRACK - 1033743
• UBUNTU - USN-2769-1

Vulnerable Software & Versions:

• cpe:/a:apache:httpclient:4.3.5 and all previous versions