Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient

Summary Apache HttpClient used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2011-1498, CVE-2012-5783, CVE-2012-6153, CVE-2014-3577,CVE-2015-5262 Vulnerability Details CVEID:CVE-2011-1498 DESCRIPTION: Apache HttpComponents could allow a remote attacker to obtain...

AIX (IJ45221)

The version of AIX installed on the remote host is prior to APAR IJ45221. It is, therefore, affected by a vulnerability as referenced in the IJ45221 advisory. - Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify tha...

AIX (IJ44987)

The version of AIX installed on the remote host is prior to APAR IJ44987. It is, therefore, affected by a vulnerability as referenced in the IJ44987 advisory. - Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify tha...

Security Bulletin: AIX is vulnerable to an SSL server spoof due to Apache Commons HttpClient (CVE-2012-5783)

Summary A vulnerability in Apache Commons HttpClient could allow a remote attacker to conduct spoofing attacks CVE-2012-5783. AIX ships Apache Commons HttpClient as part of Electronic Customer Care. Vulnerability Details CVEID:CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient, as used in Amazo...

AIX is vulnerable to an SSL server spoof due to Apache Commons HttpClient

IBM SECURITY ADVISORY First Issued: Thu Apr 13 13:44:57 CDT 2023 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/commonshttpadvisory.asc Security Bulletin: AIX is vulnerable to an SSL server spoof due to Apache Commons HttpClient...

Security Bulletin: Multiple vulnerabilities in Open Source software used by Cloud Pak System

Summary Multiple vulnerabilities in Open Source software used by Cloud Pak System. IBM Cloud Pak System has addressed those vulnerabilities. Vulnerability Details CVEID:CVE-2015-1832 DESCRIPTION: Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external...

Security Bulletin: Vulnerability in commons-httpclient-3.0.1.jar affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) (CVE-2012-5783)

Summary Commons-httpclient-3.0.1.jar package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVE CVE-2012-5783. Vulnerability Details CVEID:CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments Servi...

Debian: Security Advisory (DLA-222-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DLA-322-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Froxlor 2.0.6 Remote Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Froxlor Log Path RCE', 'Description' = %q Froxlor v2.0.6 and below suffer from a bug that allows authenticated users to change the application lo...

Amazon Linux 2 : httpcomponents-client (ALAS-2023-1946)

The version of httpcomponents-client installed on the remote host is prior to 4.2.5-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-1946 advisory. Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in reques...

K15737: Apache vulnerability CVE-2014-3577

Security Advisory Description org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509...

K15741: Apache Commons HttpClient vulnerability CVE-2012-6153

Security Advisory Description http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle...

K15364328: Apache vulnerabilities CVE-2012-5783 and CVE-2012-6153

Security Advisory Description CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509...

Medium: httpcomponents-client

Issue Overview: Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. CVE-2020-13956 Affected Packages: httpcomponents-client...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to Apache HttpClient

Summary IBM B2B Advanced Communications has addressed vulnerabilities in Apache HttpClient shipped with product. Vulnerability Details CVEID:CVE-2020-13956 DESCRIPTION: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed...

Security Bulletin: Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform

Summary There are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update. Vulnerability Details CVEID:CVE-2022-3517 DESCRIPTION: minimatch is vulnerable to a denial of service, caused by a regular expression denial of servi...

SUSE CVE-2012-5783

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle...

SUSE CVE-2013-4366

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification...

SUSE CVE-2017-1000396

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins...