Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
Configurations
History
23 Apr 2021, 17:28
Type | Values Removed | Values Added |
---|---|---|
References | (SUSE) http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html - Broken Link | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0270.html - Broken Link | |
References | (SUSE) http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html - Broken Link | |
References | (BID) http://www.securityfocus.com/bid/58073 - Third Party Advisory, VDB Entry | |
References | (SUSE) http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html - Broken Link | |
References | (UBUNTU) http://www.ubuntu.com/usn/USN-2769-1 - Third Party Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0682.html - Broken Link | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2017:0868 - Third Party Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0681.html - Broken Link | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2014-0224.html - Broken Link | |
References | (SUSE) http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html - Broken Link | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0680.html - Broken Link | |
References | (CONFIRM) https://issues.apache.org/jira/browse/HTTPCLIENT-1265 - Issue Tracking, Patch, Vendor Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-1147.html - Broken Link | |
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/79984 - Third Party Advisory, VDB Entry | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-1853.html - Broken Link | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0679.html - Broken Link | |
References | (MISC) http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf - Technical Description, Third Party Advisory | |
CPE | cpe:2.3:a:apache:commons-httpclient:3.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* |
CWE | CWE-295 |
Information
Published : 2012-11-04 22:55
Updated : 2023-12-10 11:16
NVD link : CVE-2012-5783
Mitre link : CVE-2012-5783
CVE.ORG link : CVE-2012-5783
JSON object : View
Products Affected
apache
- httpclient
canonical
- ubuntu_linux
CWE
CWE-295
Improper Certificate Validation