CVE-2011-1498: Infoleak
First published: Tue May 31 2011(Updated: )
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.httpcomponents:httpclient | >=4.0.0<4.1.1 | 4.1.1 |
| redhat/httpcomponents-client | <4.1.1 | 4.1.1 |
| Apache Commons HttpClient | =4.0 | |
| Apache Commons HttpClient | =4.0-alpha1 | |
| Apache Commons HttpClient | =4.0-alpha2 | |
| Apache Commons HttpClient | =4.0-alpha3 | |
| Apache Commons HttpClient | =4.0-alpha4 | |
| Apache Commons HttpClient | =4.0-beta1 | |
| Apache Commons HttpClient | =4.0-beta2 | |
| Apache Commons HttpClient | =4.0.1 | |
| Apache Commons HttpClient | =4.1 | |
| Apache Commons HttpClient | =4.1-alpha1 | |
| Apache Commons HttpClient | =4.1-alpha2 | |
| Apache Commons HttpClient | =4.1-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=httpclient-users&m=129857589129183&w=2
- http://marc.info/?l=httpclient-users&m=129856318011586&w=2
- https://issues.apache.org/jira/browse/HTTPCLIENT-1061
- http://openwall.com/lists/oss-security/2011/04/07/7
- https://bugzilla.redhat.com/show_bug.cgi?id=709531
- http://marc.info/?l=httpclient-users&m=129858274406594&w=2
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html
- http://www.securityfocus.com/bid/46974
- http://marc.info/?l=httpclient-users&m=129858299106950&w=2
- http://marc.info/?l=httpclient-users&m=129853896315461&w=2
- http://openwall.com/lists/oss-security/2011/04/08/1
- http://www.kb.cert.org/vuls/id/153049
- http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
- http://securityreason.com/securityalert/8298
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=709532
- https://nvd.nist.gov/vuln/detail/CVE-2011-1498
- https://github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fb
- https://github.com/advisories/GHSA-gw85-4gmf-m7rh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-1498?
CVE-2011-1498 is considered to have medium severity due to the potential exposure of sensitive information.
How do I fix CVE-2011-1498?
To fix CVE-2011-1498, upgrade to Apache HttpClient version 4.1.1 or later.
What types of software are affected by CVE-2011-1498?
CVE-2011-1498 affects versions of Apache HttpClient prior to 4.1.1 when used with an authenticating proxy server.
What information could be exposed by CVE-2011-1498?
CVE-2011-1498 could allow remote web servers to log and access sensitive information from the Proxy-Authorization header.
Is CVE-2011-1498 a client-side vulnerability?
Yes, CVE-2011-1498 is a client-side vulnerability affecting applications using older versions of Apache HttpClient.
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gw85-4gmf-m7rh
- alias/CVE-2011-1498
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/apache commons httpclient
- version/apache commons httpclient/4.0
- version/apache commons httpclient/4.0-alpha1
- version/apache commons httpclient/4.0-alpha2
- version/apache commons httpclient/4.0-alpha3
- version/apache commons httpclient/4.0-alpha4
- version/apache commons httpclient/4.0-beta1
- version/apache commons httpclient/4.0-beta2
- version/apache commons httpclient/4.0.1
- version/apache commons httpclient/4.1
- version/apache commons httpclient/4.1-alpha1
- version/apache commons httpclient/4.1-alpha2
- version/apache commons httpclient/4.1-beta1