CVE-2013-4366
CRITICAL9.8EPSS 1.3%Hostname verification in Apache HttpClient 4.3 was disabled by default
Published: 5/13/2022Modified: 4/28/2026
Also known as:DEBIAN-CVE-2013-4366
Description
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
Affected packages (2)
- Debian/httpcomponents-clientfrom 0, < 4.3.2-1
- Maven/org.apache.httpcomponents:httpclient>= 4.3, < 4.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-4366
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-4366
- WEBhttps://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66
- WEBhttp://svn.apache.org/r1528614
- WEBhttp://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt