Critical severity9.8NVD Advisory· Published Oct 30, 2017· Updated May 13, 2026

CVE-2013-4366

Description

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.httpcomponents:httpclientMaven	>= 4.3, < 4.3.1	4.3.1

Affected products

Apache/Httpclient4 versions
cpe:2.3:a:apache:httpclient:4.3:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:apache:httpclient:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:httpclient:4.3:beta2:*:*:*:*:*:*

Patches

08140864e3e4

Ensure X509HostnameVerifier is never null

https://github.com/apache/httpcomponents-clientOleg KalnichevskiOct 2, 2013via ghsa

commit

2 files changed · +7 −0

httpclient/src/main/java/org/apache/http/impl/client/HttpClientBuilder.java+4 −0 modified

@@ -699,6 +699,10 @@ public CloseableHttpClient build() {
         if (connManager == null) {
             LayeredConnectionSocketFactory sslSocketFactory = this.sslSocketFactory;
             if (sslSocketFactory == null) {
+                X509HostnameVerifier hostnameVerifier = this.hostnameVerifier;
+                if (hostnameVerifier == null) {
+                    hostnameVerifier = SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
+                }
                 if (sslcontext != null) {
                     sslSocketFactory = new SSLConnectionSocketFactory(sslcontext, hostnameVerifier);
                 } else {

RELEASE_NOTES.txt+3 −0 modified

@@ -1,6 +1,9 @@
 Changes since 4.3
 -------------------
 
+* Ensure X509HostnameVerifier is never null.
+  Contributed by Oleg Kalnichevski <olegk at apache.org>
+
 * [HTTPCLIENT-1405] CONNECT HTTP/1.1 requests lack mandatory 'Host' header.
   Contributed by Oleg Kalnichevski <olegk at apache.org>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

svn.apache.org/r1528614nvdIssue TrackingPatchRelease NotesVendor AdvisoryWEB
www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txtnvdIssue TrackingRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-pqwh-44jj-p5rmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4366ghsaADVISORY
github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000