Lucene search

K
cveMitreCVE-2012-5783
HistoryNov 04, 2012 - 10:55 p.m.

CVE-2012-5783

2012-11-0422:55:03
CWE-295
mitre
web.nvd.nist.gov
169
apache commons httpclient
ssl
man-in-the-middle attack
invalid certificate
nvd
cve-2012-5783

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

6.8

Confidence

Low

EPSS

0.002

Percentile

62.0%

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected configurations

Nvd
Node
apachehttpclientMatch3.1
Node
canonicalubuntu_linuxMatch12.04-
OR
canonicalubuntu_linuxMatch14.04esm
OR
canonicalubuntu_linuxMatch15.04
VendorProductVersionCPE
apachehttpclient3.1cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*
canonicalubuntu_linux12.04cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
canonicalubuntu_linux14.04cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
canonicalubuntu_linux15.04cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

6.8

Confidence

Low

EPSS

0.002

Percentile

62.0%