oss-sec mailing list archives
CVE request: incorrect URL parsing in async-http-client <= 2.0.35
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Thu, 31 Aug 2017 14:06:34 +0200
Hello, a flaw was identified in the URL parsing code of async-http-client, a Java HTTP client used in other projects like the Play Framework (through its WS library): https://www.playframework.com/documentation/2.6.x/JavaWS The bug is similar to CVE-2016-8624 affecting cURL (incorrect processing of string "#@" in the hostname): https://curl.haxx.se/docs/adv_20161102J.html Version 2.0.35 of async-http-client includes a fix and is available through Maven since Monday. Relevant GitHub issue: https://github.com/AsyncHttpClient/async-http-client/issues/1455 Regards, Nicolas Grégoire
Current thread:
- CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Nicolas Grégoire (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Salvatore Bonaccorso (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Nicolas Grégoire (Aug 31)
- Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Salvatore Bonaccorso (Aug 31)