Vulnerability Name:

CVE-2011-1498 (CCN-66241)

Assigned:2011-03-23
Published:2011-03-23
Updated:2011-09-22
Summary:Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2011-1498

Source: FEDORA
Type: UNKNOWN
FEDORA-2011-7747

Source: MLIST
Type: UNKNOWN
[httpclient-users] 20110224 Proxy-Authorization header received on server side

Source: MLIST
Type: UNKNOWN
[httpclient-users] 20110224 Re: Proxy-Authorization header received on server side

Source: MLIST
Type: UNKNOWN
[httpclient-users] 20110224 RE: Proxy-Authorization header received on server side

Source: MLIST
Type: UNKNOWN
[httpclient-users] 20110224 Re: Proxy-Authorization header received on server side

Source: MLIST
Type: UNKNOWN
[httpclient-users] 20110224 RE: Proxy-Authorization header received on server side

Source: MLIST
Type: UNKNOWN
[oss-security] 20110407 Apache HttpClient CVE request [VU#153049]

Source: MLIST
Type: UNKNOWN
[oss-security] 20110408 Re: Apache HttpClient CVE request [VU#153049]

Source: SREASON
Type: UNKNOWN
8298

Source: CCN
Type: Apache Web Site
HttpClient 4.1.1

Source: CONFIRM
Type: UNKNOWN
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt

Source: CCN
Type: IBM Security Bulletin 1676776
: Fixes available for vulnerability in Apache HttpComponents HttpClient contained in IBM WebSphere Portal (CVE-2011-1498)

Source: CCN
Type: IBM Security Bulletin 2015815 (Security QRadar SIEM)
IBM QRadar SIEM contains vulnerable components and libraries. (CVE-2011-1498, CVE-2014-3577, CVE-2015-5262)

Source: CERT-VN
Type: US Government Resource
VU#153049

Source: CCN
Type: OSVDB ID: 71647
Apache HttpComponents HttpClient Proxy-Authorization Credentials Remote Disclosure

Source: BID
Type: UNKNOWN
46974

Source: CCN
Type: BID-46974
Apache HttpComponents 'HttpClient' Information Disclosure Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=709531

Source: XF
Type: UNKNOWN
apache-httpcomponents-info-disclosure(66241)

Source: CONFIRM
Type: UNKNOWN
https://issues.apache.org/jira/browse/HTTPCLIENT-1061

Source: CCN
Type: IBM Security Bulletin 1118481 (Cloud Pak System)
Vulnerability from Apache HttpComponents affects IBM Cloud Pak System (CVE-2011-1498, CVE-2015-5262)

Source: CCN
Type: IBM Security Bulletin 6453091 (WebSphere Application Server)
Multiple Vulnerabilities in Apache HttpComponents and HttpCommons affect WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6457781 (Content Collector for Email)
Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email

Source: CCN
Type: IBM Security Bulletin 6471655 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6485597 (Security Identity Manager Virtual Appliance)
Security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance

Source: CCN
Type: IBM Security Bulletin 6491177 (Security Identity Manager)
Multiple security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA)

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6985905 (Tivoli Application Dependency Discovery Manager)
TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:httpclient:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:alpha2:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:alpha3:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:alpha4:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.1:alpha1:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.1:alpha2:*:*:*:*:*:*
  • OR cpe:/a:apache:httpclient:4.1:beta1:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:content_collector:4.0.1:*:*:*:email:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_manager_virtual_appliance:7.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.precise:def:20111498000
    V
    		CVE-2011-1498 on Ubuntu 12.04 LTS (precise) - medium.
    2011-07-07
    BACK
    apache httpclient 4.0
    apache httpclient 4.0 alpha1
    apache httpclient 4.0 alpha2
    apache httpclient 4.0 alpha3
    apache httpclient 4.0 alpha4
    apache httpclient 4.0 beta1
    apache httpclient 4.0 beta2
    apache httpclient 4.0.1
    apache httpclient 4.1
    apache httpclient 4.1 alpha1
    apache httpclient 4.1 alpha2
    apache httpclient 4.1 beta1
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    ibm qradar security information and event manager 7.2
    ibm websphere application server 9.0
    ibm qradar security information and event manager 7.3
    ibm tivoli monitoring 6.3.0.2
    ibm tivoli monitoring 6.3.0.3
    ibm tivoli monitoring 6.3.0.4
    ibm tivoli monitoring 6.3.0.5
    ibm tivoli monitoring 6.3.0.6
    ibm tivoli monitoring 6.3.0.7
    ibm cloud pak system 2.3
    ibm cloud pak system 2.3.0.1
    ibm content collector 4.0.1
    ibm mobilefirst platform foundation 8.0.0.0
    ibm tivoli application dependency discovery manager 7.3.0.0
    ibm security identity manager virtual appliance 7.0.1