Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU1dzktYzNnMi00cnJo

Man-in-the-middle attack in Apache Axis

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Permalink: https://github.com/advisories/GHSA-55w9-c3g2-4rrh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU1dzktYzNnMi00cnJo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago


Identifiers: GHSA-55w9-c3g2-4rrh, CVE-2012-5784
References: Blast Radius: 0.0

Affected Packages

maven:axis:axis
Dependent packages: 133
Dependent repositories: 1,117
Downloads:
Affected Version Ranges: <= 1.4
No known fixed version
All affected versions: 1.2.1
maven:org.apache.axis:axis
Dependent packages: 129
Dependent repositories: 2,473
Downloads:
Affected Version Ranges: <= 1.4
No known fixed version
All affected versions: