CVE-2012-5785

CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.8MEDIUM

EPSS

0.5%

top 34.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Axis2

Timeline

PublishedNov 4

Latest updateMay 17

Description

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages3 packages

▶Mavenorg.apache.axis2:axis2< 1.8.0

▶Mavenorg.apache.axis2:axis2-transport-http< 1.8.0

▶NVDapache/axis21.6.2+8

🔴Vulnerability Details

OSV

Apache Axis2 has Improper Input Validation↗2022-05-17

▶

GHSA

Apache Axis2 has Improper Input Validation↗2022-05-17

▶

CVEList

CVE-2012-5785: Apache Axis2/Java 1↗2012-11-04

▶

📋Vendor Advisories

Red Hat

axis2: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate↗2012-10-16

▶

💬Community

Bugzilla

CVE-2012-5785 axis2: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate [fedora-17]↗2012-11-05

▶

Bugzilla

CVE-2012-5785 axis2: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate↗2012-11-05

▶