5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
74.4%
Package : commons-httpclient
Version : 3.1-9+deb6u1
CVE ID : CVE-2012-5783 CVE-2012-6153 CVE-2014-3577
CVE-2012-5783 and CVE-2012-6153
Apache Commons HttpClient 3.1 did not verify that the server hostname
matches a domain name in the subject's Common Name (CN) or subjectAltName
field of the X.509 certificate, which allows man-in-the-middle attackers to
spoof SSL servers via an arbitrary valid certificate.
Thanks to Alberto Fernandez Martinez for the patch.
CVE-2014-3577
It was found that the fix for CVE-2012-6153 was incomplete: the code added
to check that the server hostname matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address
the incomplete patch for CVE-2012-5783. The issue is now completely resolved
by applying this patch and the one for the previous CVEs
This upload was prepared by Markus Koschany.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | all | libcommons-httpclient-java-doc | < 3.1-9+deb6u1 | libcommons-httpclient-java-doc_3.1-9+deb6u1_all.deb |
Debian | 7 | all | libcommons-httpclient-java | < 3.1-10.2+deb7u1 | libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb |
Debian | 7 | all | libhttpclient-java | < 4.1.1-2+deb7u1 | libhttpclient-java_4.1.1-2+deb7u1_all.deb |
Debian | 7 | all | commons-httpclient | < 3.1-10.2+deb7u1 | commons-httpclient_3.1-10.2+deb7u1_all.deb |
Debian | 7 | all | libcommons-httpclient-java-doc | < 3.1-10.2+deb7u1 | libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb |
Debian | 7 | all | libhttpmime-java | < 4.1.1-2+deb7u1 | libhttpmime-java_4.1.1-2+deb7u1_all.deb |
Debian | 6 | all | libcommons-httpclient-java | < 3.1-9+deb6u1 | libcommons-httpclient-java_3.1-9+deb6u1_all.deb |
Debian | 7 | all | httpcomponents-client | < 4.1.1-2+deb7u1 | httpcomponents-client_4.1.1-2+deb7u1_all.deb |
Debian | 6 | all | commons-httpclient | < 3.1-9+deb6u1 | commons-httpclient_3.1-9+deb6u1_all.deb |