4.3

CVSS Score

Basic Information

CVE ID

CVE-2013-7397

GHSA ID

GHSA-8h53-fjgg-g42g

EPSS Score

0.7666%

CWE

CWE-345

Published

5/13/2022

Updated

3/4/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-7397

CVE-2013-7397: Insufficient Verification of Data Authenticity in Async Http Client

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2013-7397

GHSA ID

GHSA-8h53-fjgg-g42g

EPSS Score

0.7666%

CWE

CWE-345

Published

5/13/2022

Updated

3/4/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.ning:async-http-client	maven	< 1.9.0	1.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key mechanisms: 1) SslUtils.getSSLContext() defaulted to a trust manager that accepted any certificate when stores weren't explicitly set. 2) The default SSLEngineFactory in AsyncHttpClientConfig propagated this insecure configuration. The patch removed SSLEngineFactory and introduced acceptAnyCertificate to enforce proper validation by default. The LooseTrustManager in SslUtils was the root cause of missing certificate verification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*syn* *ttp *li*nt (*k* *** or *syn*-*ttp-*li*nt) ***or* *.*.* skips X.*** **rti*i**t* v*ri*i**tion unl*ss *ot* * k*yStor* lo**tion *n* * trustStor* lo**tion *r* *xpli*itly s*t, w*i** *llows m*n-in-t**-mi**l* *tt**k*rs to spoo* *TTPS s*rv*rs *y pr*s*n

Reasoning

T** vuln*r**ility st*mm** *rom two k*y m****nisms: *) `SslUtils.**tSSL*ont*xt()` ****ult** to * trust m*n***r t**t ****pt** *ny **rti*i**t* w**n stor*s w*r*n't *xpli*itly s*t. *) T** ****ult `SSL*n*in****tory` in `*syn**ttp*li*nt*on*i*` prop***t** t*

4.3

Basic Information

Concerned about an active attack path?

CVE-2013-7397: Insufficient Verification of Data Authenticity in Async Http Client

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI