oss-sec mailing list archives
Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 31 Aug 2017 15:04:09 +0200
Hi Nicolas, On Thu, Aug 31, 2017 at 02:06:34PM +0200, Nicolas Grégoire wrote:
Hello, a flaw was identified in the URL parsing code of async-http-client, a Java HTTP client used in other projects like the Play Framework (through its WS library): https://www.playframework.com/documentation/2.6.x/JavaWS The bug is similar to CVE-2016-8624 affecting cURL (incorrect processing of string "#@" in the hostname): https://curl.haxx.se/docs/adv_20161102J.html Version 2.0.35 of async-http-client includes a fix and is available through Maven since Monday. Relevant GitHub issue: https://github.com/AsyncHttpClient/async-http-client/issues/1455
CVEs cannot be requested anymore via the oss-security list. Could you please request the CVE via the form at https://cveform.mitre.org/ and possibly keep us posted with a followup to this thread once the CVE has been assigned? Regards, Salvatore
Current thread:
- CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Nicolas Grégoire (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Salvatore Bonaccorso (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Nicolas Grégoire (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Salvatore Bonaccorso (Aug 31)