Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4ODMtcjU2Zy1jdjQ3

Improper certificate validation in org.apache.httpcomponents:httpclient

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Permalink: https://github.com/advisories/GHSA-2x83-r56g-cv47
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4ODMtcjU2Zy1jdjQ3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 2 months ago

Identifiers: GHSA-2x83-r56g-cv47, CVE-2012-6153
References:

Repository: https://github.com/apache/httpcomponents-client
Blast Radius: 0.0

Affected Packages

maven:org.apache.httpcomponents:httpclient

Dependent packages: 11,971
Dependent repositories: 142,784
Downloads:
Affected Version Ranges: < 4.2.3
Fixed in: 4.2.3
All affected versions: 4.0.1, 4.0.2, 4.0.3, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.2.2
All unaffected versions: 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.4.1, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.5.13, 4.5.14