Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zODMyLTkyNzYteDdnZs3xbg

Improper Certificate Validation in apache HttpClient

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Permalink: https://github.com/advisories/GHSA-3832-9276-x7gf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zODMyLTkyNzYteDdnZs3xbg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago

Identifiers: GHSA-3832-9276-x7gf, CVE-2012-5783
References:

• https://nvd.nist.gov/vuln/detail/CVE-2012-5783
• https://access.redhat.com/errata/RHSA-2017:0868
• https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
• https://issues.apache.org/jira/browse/HTTPCLIENT-1265
• http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
• http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
• http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
• http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
• http://rhn.redhat.com/errata/RHSA-2013-0270.html
• http://rhn.redhat.com/errata/RHSA-2013-0679.html
• http://rhn.redhat.com/errata/RHSA-2013-0680.html
• http://rhn.redhat.com/errata/RHSA-2013-0682.html
• http://rhn.redhat.com/errata/RHSA-2013-1853.html
• http://rhn.redhat.com/errata/RHSA-2014-0224.html
• http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
• http://www.ubuntu.com/usn/USN-2769-1
• https://github.com/advisories/GHSA-3832-9276-x7gf

Blast Radius: 0.0

Affected Packages