Red Hat Bugzilla – Bug 1487563
CVE-2017-14063 async-http-client: Invalid URL parsing with '?'
Last modified: 2018-09-11 03:54:03 EDT
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL. Upstream issue: https://github.com/AsyncHttpClient/async-http-client/issues/1455
Created async-http-client tracking bugs for this issue: Affects: fedora-all [bug 1487565]
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669