Lucene search

K
ibmIBM96B854658FB25B1C41C7953D07DFA40702863F7DF3DA2149F3BC57ED6B4B5CAA
HistoryNov 28, 2018 - 12:00 p.m.

Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server shipped with Jazz for Service Management (CVE-2012-5783)

2018-11-2812:00:02
www.ibm.com
6

EPSS

0.002

Percentile

62.0%

Summary

There is a potential information disclosure in Apache Commons HttpClient used by WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Jazz for Service Management version 1.1.0 - 1.1.3

Remediation/Fixes

Principal Product and Version(s)

| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin
—|—|—
Jazz for Service Management version 1.1.0 - 1.1.3 | Websphere Application Server Full Profile 8.5.5 |

Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)

Workarounds and Mitigations

Please refer to WAS iFix