http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
| Score | Percentile |
|---|---|
| 1.62% | 81.81% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-fmj5-wv96-r2ch ↗ |
| CVE | CVE-2015-5262 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.apache.httpcomponents:httpclient | < 4.3.6 | 4.3.6 | — |