Skip to content

Denial of service vulnerability in org.apache.httpcomponents:httpclient

Moderate severity GitHub Reviewed Published Oct 17, 2018 to the GitHub Advisory Database • Updated Feb 13, 2023

Package

maven org.apache.httpcomponents:httpclient (Maven)

Affected versions

< 4.3.6

Patched versions

4.3.6

Description

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

References

Published by the National Vulnerability Database Oct 27, 2015
Published to the GitHub Advisory Database Oct 17, 2018
Reviewed Jun 16, 2020
Last updated Feb 13, 2023

Severity

Moderate

EPSS score

4.844%
(93rd percentile)

Weaknesses

No CWEs

CVE ID

CVE-2015-5262

GHSA ID

GHSA-fmj5-wv96-r2ch

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.