A CPE is unrelated to the Java package and Maven coordinates. Its scope is a /product/ rather than a /package/. Hence, "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" applies to the entire HC product line.
To assess the applicability of the vulnerability, I'm a trying to find out if HC v4.4 is just as vulnerable as v5 is/was. I see that MessageConstraints.Builder uses the same pattern as Http1Config that Oleg fixed.
On 06.07.2026 21:14, Gary Gregory wrote:
The CVE doesn't talk about 4.x because it lives in a different Java package and different Maven coordinates. 5.x is not a drop in replacement for 4.x. If you tried to replace 4.x with 5.x, your app wouldn't run. So it doesn't make sense for a report to talk about 4.x and 5.x, except in the most general terms.
-- Marcel Stör, https://frightanic.com My PGP key: https://frightanic.com/pgp/
OpenPGP_signature.asc
Description: OpenPGP digital signature
