Lucene search

[email protected]CVE-2012-5787

HistoryNov 04, 2012 - 10:55 p.m.

CVE-2012-5787

2012-11-0422:55:03

CWE-20

[email protected]

web.nvd.nist.gov

paypal

merchant

sdk

x.509

certificate

ssl

security vulnerability

nvd

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.8%

JSON

The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected configurations

NVD

Node

paypalmerchant_sdkMatch-

CPENameOperatorVersion
paypal:merchant_sdkpaypal merchant sdkeq-

CPE	Name	Operator	Version
paypal:merchant_sdk	paypal merchant sdk	eq	-

References

secunia.com/advisories/51184

www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

www.securityfocus.com/bid/56445

exchange.xforce.ibmcloud.com/vulnerabilities/79913

github.com/paypal/SDKs/commit/5f2d6dd77fb4211dcde34e36f1864234526c5d64

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.8%

JSON

Related for CVE-2012-5787

cvelist1 nvd1 prion1