CVE-2012-5786Improper Input Validation in Apache CXF

CWE-20Improper Input Validation6 documents5 sources
Severity
5.8MEDIUMNVD
EPSS
0.1%
top 73.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache CXF
Timeline
PublishedNov 4
Latest updateMay 14

Description

The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. NOTE: The vendor states that the sample had specifically used a flag to bypass the DN check

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

NVDapache/cxf2.6.17

🔴Vulnerability Details

2
GHSA
GHSA-4267-v6qh-xchc: ** DISPUTED ** The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 22022-05-14
CVEList
CVE-2012-5786: The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 22012-11-04

📋Vendor Advisories

1
Red Hat
cxf: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate2012-10-16

💬Community

2
Bugzilla
CVE-2012-5786 cxf: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate [fedora-17]2012-11-05
Bugzilla
CVE-2012-5786 cxf: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate2012-11-05
CVE-2012-5786 — Improper Input Validation in Apache CXF | cvebase