CVE-2015-5262

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html

http://svn.apache.org/viewvc?view=revision&revision=1626784

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.securitytracker.com/id/1033743

http://www.ubuntu.com/usn/USN-2769-1

https://bugzilla.redhat.com/show_bug.cgi?id=1261538

https://issues.apache.org/jira/browse/HTTPCLIENT-1478

https://jenkins.io/security/advisory/2018-02-26/

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

Details

Source: MITRE

Published: 2015-10-27

Updated: 2020-11-08

Type: CWE-399

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
149787IBM WebSphere Application Server 8.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.20 / 9.0.x < 9.0.5.8 Multiple VulnerabilitiesNessusWeb Servers
high
142638openSUSE Security Update : apache-commons-httpclient (openSUSE-2020-1875)NessusSuSE Local Security Checks
medium
142629openSUSE Security Update : apache-commons-httpclient (openSUSE-2020-1873)NessusSuSE Local Security Checks
medium
140702Photon OS 3.0: Commons PHSA-2020-3.0-0141NessusPhotonOS Local Security Checks
medium
133910EulerOS 2.0 SP5 : jakarta-commons-httpclient (EulerOS-SA-2020-1109)NessusHuawei Local Security Checks
medium
131889EulerOS 2.0 SP2 : jakarta-commons-httpclient (EulerOS-SA-2019-2397)NessusHuawei Local Security Checks
medium
131671EulerOS 2.0 SP2 : httpcomponents-client (EulerOS-SA-2019-2518)NessusHuawei Local Security Checks
medium
129220EulerOS 2.0 SP3 : jakarta-commons-httpclient (EulerOS-SA-2019-2027)NessusHuawei Local Security Checks
medium
86401Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : commons-httpclient vulnerabilities (USN-2769-1)NessusUbuntu Local Security Checks
medium
86230Fedora 23 : jakarta-commons-httpclient-3.1-23.fc23 (2015-15590)NessusFedora Local Security Checks
medium
86229Fedora 22 : jakarta-commons-httpclient-3.1-23.fc22 (2015-15589)NessusFedora Local Security Checks
medium
86228Fedora 21 : jakarta-commons-httpclient-3.1-20.fc21 (2015-15588)NessusFedora Local Security Checks
medium
86225Debian DLA-322-1 : commons-httpclient security updateNessusDebian Local Security Checks
medium