Thanks for the feedback Gary. I am aware of the differences and incompatibilities.

A CPE is unrelated to the Java package and Maven coordinates. Its scope is a /product/ rather than a /package/. Hence, "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" applies to the entire HC product line.

To assess the applicability of the vulnerability, I'm a trying to find out if HC v4.4 is just as vulnerable as v5 is/was. I see that MessageConstraints.Builder uses the same pattern as Http1Config that Oleg fixed.

On 06.07.2026 21:14, Gary Gregory wrote:
The CVE doesn't talk about 4.x because it lives in a different Java
package and different Maven coordinates. 5.x is not a drop in
replacement for 4.x. If you tried to replace 4.x with 5.x, your app
wouldn't run. So it doesn't make sense for a report to talk about 4.x
and 5.x, except in the most general terms.
--
Marcel Stör, https://frightanic.com
My PGP key: https://frightanic.com/pgp/

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to