In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.glassfish.jersey.core:jersey-client(Maven) | 2.45 | 2.46 | N/A |
| org.glassfish.jersey.core:jersey-client(Maven) | 3.0.16 | 3.0.17 | N/A |
| org.glassfish.jersey.core:jersey-client(Maven) | 3.1.9 | 3.1.10 | N/A |
CVSS Metrics
