Apache Httpclient
Monthly
Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.
Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.