CVE-2015-5262

Apache HttpComponents HttpClient <4.3.6 - DoS

Title source: llm
STIX 2.1

Description

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

References (15)

Core 15
Core References
Third Party Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2018-02-26/
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1261538
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/HTTPCLIENT-1478
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033743
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2769-1

Scores

EPSS 0.0120
EPSS Percentile 79.2%

Details

CWE
CWE-399
Status published
Products (8)
apache/httpclient 4.3 - 4.3.5
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
fedoraproject/fedora 21
fedoraproject/fedora 22
fedoraproject/fedora 23
org.apache.httpcomponents/httpclient 0 - 4.3.6Maven
Published Oct 27, 2015
Tracked Since Feb 18, 2026