CVE-2015-5262
Summary
| CVE | CVE-2015-5262 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-10-27 16:59:07 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
NoneAvailability
PartialAV:N/AC:M/Au:N/C:N/I:N/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Httpclient | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Operating System | Fedoraproject | Fedora | 21 | All | All | All |
| Operating System | Fedoraproject | Fedora | 22 | All | All | All |
| Operating System | Fedoraproject | Fedora | 23 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Commons Components HttpClient HTTPS Timeout Error Lets Remote Users Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| [SECURITY] Fedora 23 Update: jakarta-commons-httpclient-3.1-23.fc23 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2020:1875-1: important: Security update | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| 1261538 – (CVE-2015-5262) CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| [Apache-SVN] Revision 1626784 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Vendor Advisory |
| USN-2769-1: Apache Commons HttpClient vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [SECURITY] Fedora 22 Update: jakarta-commons-httpclient-3.1-23.fc22 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [security-announce] openSUSE-SU-2020:1873-1: important: Security update | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| [HTTPCLIENT-1478] https calls ignore http.socket.timeout during SSL Handshake - ASF JIRA | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | Vendor Advisory |
| CPU July 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| [SECURITY] Fedora 21 Update: jakarta-commons-httpclient-3.1-20.fc21 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Third Party Advisory |
| Jenkins Security Advisory 2018-02-26 | af854a3a-2127-422b-91ae-364da2661108 | jenkins.io | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.