Moderate severityNVD Advisory· Published Jul 7, 2011· Updated Apr 29, 2026
CVE-2011-1498
CVE-2011-1498
Description
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.httpcomponents:httpclientMaven | >= 4.0.0, < 4.1.1 | 4.1.1 |
Affected products
12cpe:2.3:a:apache:httpclient:4.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:apache:httpclient:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.1:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.1:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.1:beta1:*:*:*:*:*:*
Patches
1a572756592c9HTTPCLIENT-1061: Proxy-Authorization header gets sent to the target host when tunneling requests through a proxy that requires authentication
2 files changed · +14 −0
httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java+10 −0 modified@@ -43,6 +43,9 @@ import org.apache.http.auth.AuthenticationException; import org.apache.http.auth.ContextAwareAuthScheme; import org.apache.http.auth.Credentials; +import org.apache.http.conn.HttpRoutedConnection; +import org.apache.http.conn.routing.HttpRoute; +import org.apache.http.protocol.ExecutionContext; import org.apache.http.protocol.HttpContext; /** @@ -74,6 +77,13 @@ public void process(final HttpRequest request, final HttpContext context) return; } + HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute( + ExecutionContext.HTTP_CONNECTION); + HttpRoute route = conn.getRoute(); + if (route.isTunnelled()) { + return; + } + // Obtain authentication state AuthState authState = (AuthState) context.getAttribute( ClientContext.PROXY_AUTH_STATE);
RELEASE_NOTES.txt+4 −0 modified@@ -1,5 +1,9 @@ Changes since 4.1 +* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target + host when tunneling requests through a proxy server that requires authentication. + Contributed by Oleg Kalnichevski <olegk at apache.org> + * [HTTPCLIENT-1056] Fixed bug causing the RequestAuthCache protocol interceptor to generate an invalid AuthScope instance when looking up user credentials for preemptive authentication. Contributed by Oleg Kalnichevski <olegk at apache.org>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- github.com/advisories/GHSA-gw85-4gmf-m7rhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-1498ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.htmlnvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- openwall.com/lists/oss-security/2011/04/07/7nvdWEB
- openwall.com/lists/oss-security/2011/04/08/1nvdWEB
- securityreason.com/securityalert/8298nvdWEB
- www.kb.cert.org/vuls/id/153049nvdUS Government Resource
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fbghsaWEB
- issues.apache.org/jira/browse/HTTPCLIENT-1061nvdWEB
- www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txtnvd
- www.securityfocus.com/bid/46974nvd
News mentions
0No linked articles in our index yet.