CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
62.0%
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before
4.2.3 does not properly verify that the server hostname matches a domain
name in the subject’s Common Name (CN) or subjectAltName field of the X.509
certificate, which allows man-in-the-middle attackers to spoof SSL servers
via a certificate with a subject that specifies a common name in a field
that is not the CN field. NOTE: this issue exists because of an incomplete
fix for CVE-2012-5783.
Author | Note |
---|---|
mdeslaur | debian’s 06_fix_CVE-2012-5783.patch already contains the fix for CVE-2012-6153 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.04 | noarch | commons-httpclient | < 3.1-10ubuntu0.1 | UNKNOWN |