Lucene search

K
cveRedhatCVE-2012-6153
HistorySep 04, 2014 - 5:55 p.m.

CVE-2012-6153

2014-09-0417:55:04
CWE-20
redhat
web.nvd.nist.gov
137
2
cve-2012-6153
apache commons httpclient
ssl
certificate spoofing
vulnerability
nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.9

Confidence

Low

EPSS

0.002

Percentile

62.0%

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Affected configurations

Nvd
Node
apachecommons-httpclientRange4.04.2.2
VendorProductVersionCPE
apachecommons-httpclientcpe:/a:apache:commons-httpclient::::

References

Social References

More

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.9

Confidence

Low

EPSS

0.002

Percentile

62.0%