httpcomponents-client: credentials disclosure
| Package(s): | httpcomponents-client | CVE #(s): | CVE-2011-1498 | ||||
| Created: | June 15, 2011 | Updated: | June 16, 2011 | ||||
| Description: | According to the 4.1.1 release notes, HttpClient suffers from a vulnerability whereby it can send proxy authorization headers to sites other than the proxy. | ||||||
| Alerts: |
| ||||||
Posted Jun 16, 2011 6:09 UTC (Thu)
by geofft (subscriber, #59789)
[Link] (1 responses)
* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
Or, in other words, it seems like HttpClient sends your proxy credentials to the proxy server, and then also sends those credentials to whatever random websites you're visiting through the proxy. A malicious website can grab those credentials and then log in to your proxy and use it.
I agree that the English isn't the world's best (see also "This update fixes several bug." from the Fedora alert), but there's no mystery as to what the actual bug here is.
Posted Jun 16, 2011 13:12 UTC (Thu)
by corbet (editor, #1)
[Link]
It's nice to know people actually read these vulnerability entries! :)
httpcomponents-client: mysterious vulnerability
host when tunneling requests through a proxy server that requires authentication.
Contributed by Oleg Kalnichevski <olegk at apache.org>
You're right, I misread that. I've fixed the entry, thanks.
Fixed