CVE-2012-5784

CWE-20 — Improper Input Validation CWE-29713 documents7 sources

Severity

5.8MEDIUM

EPSS

1.6%

top 18.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq Apache Axis

Timeline

PublishedNov 4

Latest updateOct 7

Description

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages5 packages

▶NVDapache/axis1.4+5

▶NVDapache/activemq5.7.0

▶Mavenorg.apache.axis:axis1.4

▶Debianaxis< 1.4-16.1+3

▶Mavenaxis:axis1.4

🔴Vulnerability Details

GHSA

Man-in-the-middle attack in Apache Axis↗2020-10-07

▶

OSV

Man-in-the-middle attack in Apache Axis↗2020-10-07

▶

GHSA

Improper Validation of Certificates in apache axis↗2018-10-16

▶

CVEList

CVE-2012-5784: Apache Axis 1↗2012-11-04

▶

OSV

CVE-2012-5784: Apache Axis 1↗2012-11-04

▶

📋Vendor Advisories

Red Hat

axis: SSL hostname verification bypass, incomplete CVE-2012-5784 fix↗2014-08-19

▶

Red Hat

axis: missing connection hostname check against X.509 certificate name↗2012-10-16

▶

Debian

CVE-2012-5784: axis - Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, Pa...↗2012

▶

💬Community

Bugzilla

CVE-2014-3596 axis: SSL hostname verification bypass, incomplete CVE-2012-5784 fix↗2014-08-14

▶

Bugzilla

CVE-2012-5784 axis: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate [fedora-all]↗2013-01-16

▶

Bugzilla

CVE-2012-5784 axis: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate [fedora-all]↗2012-11-05

▶

Bugzilla

CVE-2012-5784 axis: missing connection hostname check against X.509 certificate name↗2012-11-05

▶