Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN255

_____________________________________________________________________

DATE                : 25/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HttpClient versions 5.4.x 
                                  prior to 5.4.3.

=====================================================================
https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
_____________________________________________________________________

CVE-2025-27820: Apache HttpClient: PSL Validation Bypass
*Severity:* Moderate

*Affected Versions:*

   -

   Apache HttpClient 5.4.x
   *(Earlier versions are unaffected.)*

*Description:*
A bug in Apache HttpClient 5.4.x effectively disables Public Suffix
List (PSL) validation, impacting cookie management and host name
verification.
This may lead to unauthorized access or information disclosure.

Users are advised to upgrade to *Apache HttpClient 5.4.3*, which
includes a fix for this issue.


*Credit:*
Discovered by the Apache HttpClient team. Fix contributed by Joe
Gallo.


*References:*

   -

   Introduction PR #574:
   https://github.com/apache/httpcomponents-client/pull/574
   -

   Fix PR #621: https://github.com/apache/httpcomponents-client/pull/621
   -

   Apache HttpClient Project:
   https://hc.apache.org/httpcomponents-client-5.4.x/
   -

   CVE Record (once public): https://www.cve.org/CVERecord?id=CVE-2025-27820

Best regards,

Arturo

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================