HttpClient 3.1 - CVE-2012-5783

[raj kumar]

Hi Team,

There is a direct vulnerability on Http Client Library 3.1, and there is no upgrade available for this library as its replaced by httpcomponents (HttpClient v4) and httpclient5 (v5). 

Is there a plan to upgrade this library. to resolve this vulnerability in near future. 

Thanks,

Raj

[kingthorin+zap]

1) Did you look into the vuln at all?

"...which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."

If you're using ZAP then your MiTM already :)

If you can find some actual impact of this vulnerability to ZAP's users please let us know.

2) The entire networking core is now in an add-on which uses netty and httpcomponents.

The core still contains HttpClient 3.1 for legacy/compatibility reasons.