logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2012-5783

Description

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. #### Bugs * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442> * <https://issues.apache.org/jira/browse/HTTPCLIENT-1265> * <https://issues.apache.org/jira/browse/httpclient-613> #### Notes Author| Note ---|--- [seth-arnold](<https://launchpad.net/~seth-arnold>) | Apache Commons HttpClient has been replaced by HttpComponents [mdeslaur](<https://launchpad.net/~mdeslaur>) | debian released 3.1-10.1 with a possible regression fix was incomplete, see CVE-2012-6153 and CVE-2014-3577


Affected Package


OS OS Version Package Name Package Version
ubuntu 12.04 commons-httpclient 3.1-10ubuntu0.1
ubuntu upstream commons-httpclient 3.1-10.2
ubuntu upstream httpcomponents-client any

Related