Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2013-7398

CVE-2013-7398:
Insufficient Verification of Data Authenticity in Async Http Client

4.3

CVSS Score

Basic Information

CVE ID
CVE-2013-7398
GHSA ID
GHSA-5c66-6h6g-6q6m
EPSS Score
-
CWE
CWE-345
Published
5/13/2022
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.ning:async-http-clientmaven< 1.9.01.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing hostname verification in SSL certificate validation. The commit diff shows the vulnerable version used AllowAllHostnameVerifier in defaultHostnameVerifier() which explicitly skips hostname checks. The patch replaces it with DefaultHostnameVerifier that implements proper checks. The CVE description and GHSA advisory both confirm the root cause was lack of hostname verification in certificate validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m*in/j*v*/*om/nin*/*ttp/*li*nt/*syn**ttp*li*nt*on*i*.j*v* in *syn* *ttp *li*nt (*k* *** or *syn*-*ttp-*li*nt) ***or* *.*.* *o*s not r*quir* * *ostn*m* m*t** *urin* v*ri*i**tion o* X.*** **rti*i**t*s, w*i** *llows m*n-in-t**-mi**l* *tt**k*rs to spoo*

Reasoning

T** vuln*r**ility st*ms *rom missin* *ostn*m* v*ri*i**tion in SSL **rti*i**t* v*li**tion. T** *ommit *i** s*ows t** vuln*r**l* v*rsion us** *llow*ll*ostn*m*V*ri*i*r in ****ult*ostn*m*V*ri*i*r() w*i** *xpli*itly skips *ostn*m* ****ks. T** p*t** r*pl**