CVE-2015-5262
Summary
| CVE | CVE-2015-5262 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-10-27 16:59:00 UTC |
| Updated | 2023-02-13 00:52:00 UTC |
| Description | http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. |
Risk And Classification
Problem Types: CWE-399
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Httpclient | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Operating System | Fedoraproject | Fedora | 21 | All | All | All |
| Operating System | Fedoraproject | Fedora | 22 | All | All | All |
| Operating System | Fedoraproject | Fedora | 23 | All | All | All |
| Operating System | Fedoraproject | Fedora | 21 | All | All | All |
| Operating System | Fedoraproject | Fedora | 22 | All | All | All |
| Operating System | Fedoraproject | Fedora | 23 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [HTTPCLIENT-1478] https calls ignore http.socket.timeout during SSL Handshake - ASF JIRA | CONFIRM | issues.apache.org | Vendor Advisory |
| [security-announce] openSUSE-SU-2020:1873-1: important: Security update | SUSE | lists.opensuse.org | |
| Jenkins Security Advisory 2018-02-26 | CONFIRM | jenkins.io | Third Party Advisory |
| Apache Commons Components HttpClient HTTPS Timeout Error Lets Remote Users Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| Pony Mail! | MLIST | lists.apache.org | |
| USN-2769-1: Apache Commons HttpClient vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| CPU July 2018 | CONFIRM | www.oracle.com | |
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MISC | lists.apache.org | |
| [SECURITY] Fedora 23 Update: jakarta-commons-httpclient-3.1-23.fc23 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [SECURITY] Fedora 21 Update: jakarta-commons-httpclient-3.1-20.fc21 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2020:1875-1: important: Security update | SUSE | lists.opensuse.org | |
| [Apache-SVN] Revision 1626784 | CONFIRM | svn.apache.org | Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| 1261538 – (CVE-2015-5262) CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout | CONFIRM | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 22 Update: jakarta-commons-httpclient-3.1-23.fc22 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.