{ "threat_severity" : "Moderate", "public_date" : "2025-04-24T11:44:25Z", "bugzilla" : { "description" : "org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass", "id" : "2362042", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2362042" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status" : "draft" }, "cwe" : "CWE-295", "details" : [ "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release", "A flaw was found in Apache HttpClient. This vulnerability allows unauthorized access or information disclosure via disabled Public Suffix List (PSL) validation, affecting cookie management and hostname verification." ], "statement" : "This vulnerability is rated Moderate due to the high attack complexity required for exploitation, the limited impact on confidentiality, and the fact that the issue does not allow direct system compromise or denial of service. While the failure to load the Public Suffix List weakens hostname and cookie validation, it does not lead to immediate critical security breaches, and mitigation techniques such as manual cookie domain validation and other security measures typically reduce the risk in real-world scenarios.", "package_state" : [ { "product_name" : "Cryostat 3", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:cryostat:3" }, { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Fix deferred", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "quarkus-camel-bom", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "quarkus-cxf-bom", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-modelmesh-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Fix deferred", "package_name" : "httpclient5", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-27820\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27820\nhttps://github.com/advisories/GHSA-73m2-qfq3-56cx\nhttps://github.com/apache/httpcomponents-client/pull/574\nhttps://github.com/apache/httpcomponents-client/pull/621\nhttps://hc.apache.org/httpcomponents-client-5.4.x/index.html\nhttps://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8" ], "name" : "CVE-2025-27820", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }