Lucene search

K
osvGoogleOSV:DLA-222-1
HistoryMay 19, 2015 - 12:00 a.m.

commons-httpclient - security update

2015-05-1900:00:00
Google
osv.dev
21
apache commons httpclient
security update
ssl server spoofing
cve-2012-5783
cve-2012-6153
cve-2014-3577

EPSS

0.004

Percentile

73.3%

  • CVE-2012-5783
    and CVE-2012-6153
    Apache Commons HttpClient 3.1 did not verify that the server hostname
    matches a domain name in the subject’s Common Name (CN) or subjectAltName
    field of the X.509 certificate, which allows man-in-the-middle attackers to
    spoof SSL servers via an arbitrary valid certificate.
    Thanks to Alberto Fernandez Martinez for the patch.
  • CVE-2014-3577
    It was found that the fix for CVE-2012-6153 was incomplete: the code added
    to check that the server hostname matches the domain name in a subject’s
    Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle
    attacker could use this flaw to spoof an SSL server using a specially
    crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address
    the incomplete patch for CVE-2012-5783. The issue is now completely resolved
    by applying this patch and the one for the previous CVEs

This upload was prepared by Markus Koschany.