CVE-2012-5783
CWE-295 — Improper Certificate ValidationCWE-297CWE-20 — Improper Input Validation18 documents8 sources
Severity
5.8MEDIUM
EPSS
0.6%
top 30.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 4
Latest updateMay 13
Description
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS vector
AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9
Affected Packages4 packages
Also affects: Ubuntu Linux 12.04, 14.04, 15.04
Patches
🔴Vulnerability Details
6📋Vendor Advisories
3💬Community
7Bugzilla▶
CVE-2014-3603 OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification↗2014-08-20
Bugzilla▶
CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix↗2014-08-14
Bugzilla▶
CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name [fedora-all]↗2014-01-16
Bugzilla▶
jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)↗2013-02-12
Bugzilla▶
jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) [fedora-all]↗2013-02-12