Skip to content

Fix: Vulnerability for httpClient #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vikasrathee-cs merged 1 commit into from
Aug 4, 2025
Merged

Fix: Vulnerability for httpClient #112

vikasrathee-cs merged 1 commit into from
Aug 4, 2025

Conversation

@AbhishekKumar9984
Copy link
Contributor

@AbhishekKumar9984 AbhishekKumar9984 commented Jul 21, 2025
edited
Loading

Issue :
This PR fixes multiple medium-severity security vulnerabilities in Apache HttpClient 4.3.4: CVE-2020-13956 (incorrect host resolution due to malformed URIs), CVE-2014-3577 (improper SSL hostname verification allowing MITM attacks), and CVE-2015-5262 (socket timeout not applied during SSL handshake, causing potential DoS).

Root Cause :
The issues stem from using an outdated HttpClient version (4.3.4). This version does not correctly parse malformed URIs, fails to validate SSL certificate hostnames properly, and ignores socket timeout configurations during SSL handshakes.

Fix :
Upgraded httpclient to a secure version 4.5.13.

Jira :
https://cdap.atlassian.net/browse/PLUGIN-1914

sgarg-CS
sgarg-CS approved these changes Jul 22, 2025
View reviewed changes
Copy link
Contributor

@sgarg-CS sgarg-CS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

MrRahulSharma
MrRahulSharma approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@MrRahulSharma MrRahulSharma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vikasrathee-cs vikasrathee-cs merged commit f829ca6 into data-integrations:develop Aug 4, 2025
7 of 9 checks passed
sgarg-CS pushed a commit to cloudsufi/servicenow-plugins that referenced this pull request Aug 7, 2025
@vikasrathee-cs @sgarg-CS
Merge pull request data-integrations#112 from AbhishekKumar9984/httpC…
c6ccad8 
…lient

Fix: Vulnerability for httpClient
@sgarg-CS sgarg-CS mentioned this pull request Aug 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikasrathee-cs vikasrathee-cs vikasrathee-cs approved these changes

@sgarg-CS sgarg-CS sgarg-CS approved these changes

@MrRahulSharma MrRahulSharma MrRahulSharma approved these changes

@minurajeeve minurajeeve Awaiting requested review from minurajeeve

@Sunish-Dahiya Sunish-Dahiya Awaiting requested review from Sunish-Dahiya

Assignees

@vikasrathee-cs vikasrathee-cs

@sgarg-CS sgarg-CS

Labels

build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AbhishekKumar9984 @vikasrathee-cs @sgarg-CS @MrRahulSharma