WS-2017-3734 (Medium, reachable) detected in httpclient-4.3.6.jar - autoclosed

[mend-local-app[bot]]

WS-2017-3734 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.3.6.jar

HttpComponents Client

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar

Dependency Hierarchy: - spring-rabbit-1.7.1.RELEASE.jar (Root Library) - http-client-1.1.1.RELEASE.jar - :x: **httpclient-4.3.6.jar** (Vulnerable Library)

Found in HEAD commit: 9c6901108cf0138889fa46846fabfcb78828d070

Found in base branch: vp-rem

Reachability Analysis(Reachable)

This vulnerability is potentially used ``` com.visualpathit.account.utils.ElasticsearchUtil (Application) -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension) -> org.elasticsearch.index.reindex.ReindexPlugin (Extension) -> org.elasticsearch.index.reindex.TransportReindexAction (Extension) -> org.elasticsearch.client.RestClient (Extension) -> ❌ org.apache.http.client.utils.URIBuilder (Vulnerable Component) ```

Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2017-01-21

URL: WS-2017-3734

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2017-01-21

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.3

[mend-local-app[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.