Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zODMyLTkyNzYteDdnZs3xbg
Improper Certificate Validation in apache HttpClient
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Permalink: https://github.com/advisories/GHSA-3832-9276-x7gfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zODMyLTkyNzYteDdnZs3xbg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago
Identifiers: GHSA-3832-9276-x7gf, CVE-2012-5783
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-5783
- https://access.redhat.com/errata/RHSA-2017:0868
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
- https://issues.apache.org/jira/browse/HTTPCLIENT-1265
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
- http://rhn.redhat.com/errata/RHSA-2013-0270.html
- http://rhn.redhat.com/errata/RHSA-2013-0679.html
- http://rhn.redhat.com/errata/RHSA-2013-0680.html
- http://rhn.redhat.com/errata/RHSA-2013-0682.html
- http://rhn.redhat.com/errata/RHSA-2013-1853.html
- http://rhn.redhat.com/errata/RHSA-2014-0224.html
- http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- http://www.ubuntu.com/usn/USN-2769-1
- https://github.com/advisories/GHSA-3832-9276-x7gf
Affected Packages
maven:commons-httpclient:commons-httpclient
Dependent packages: 2,196Dependent repositories: 34,589
Downloads:
Affected Version Ranges: >= 3.0, < 4.0
Fixed in: 4.0
All affected versions: 3.0.1
All unaffected versions: 2.0.1, 2.0.2