Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:11070
HistoryJan 15, 2019 - 8:56 a.m.

Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers

2019-01-1508:56:38
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

The Apache Commons HTTPClient 3.x (as used in Amazon Flexible Payments Service FPS merchant Java SDK and other SDK products), does not verify that the server hostname matches a domain name in the subjects Common Name CN or subjectAltName field of the X.509 certificate, which allows Man In The Middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Related for VERACODE:11070