On Fri, Mar 28, 2025, 08:28 Arturo Bernal <aber...@apache.org> wrote:
> *Severity:* Moderate > > *Affected Versions:* > > - > > Apache HttpClient 5.4.x > *(Earlier versions are unaffected.)* > That pattern doesn't make sense to me since it matches 5.4.3. It would be list versions of use the less than and greater than pattern. Gary > *Description:* > A bug in Apache HttpClient 5.4.x effectively disables Public Suffix List > (PSL) validation, impacting cookie management and host name verification. > This may lead to unauthorized access or information disclosure. > > Users are advised to upgrade to *Apache HttpClient 5.4.3*, which includes a > fix for this issue. > > *Credit:* > Discovered by the Apache HttpClient team. Fix contributed by Joe Gallo. > > *References:* > > - > > Introduction PR #574: > https://github.com/apache/httpcomponents-client/pull/574 > - > > Fix PR #621: https://github.com/apache/httpcomponents-client/pull/621 > - > > Apache HttpClient Project: > https://hc.apache.org/httpcomponents-client-5.4.x/ > - > > CVE Record (once public): > https://www.cve.org/CVERecord?id=CVE-2025-27820 > > Best regards, > > Arturo >
