CVE-2012-5783

Apache Commons HttpClient 3.x - Improper Certificate Validation

Title source: llm
STIX 2.1

Description

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References (18)

Core 18
Core References
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0681.html
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/HTTPCLIENT-1265
Broken Link vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0680.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0868
Broken Link vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/58073
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0270.html
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0682.html
Broken Link vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
Broken Link vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1853.html
Technical Description, Third Party Advisory x_refsource_misc
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0679.html
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1147.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2769-1
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0224.html

Scores

EPSS 0.0925
EPSS Percentile 94.7%

Details

CWE
CWE-295
Status published
Products (5)
apache/httpclient 3.1
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
commons-httpclient/commons-httpclient 3.0Maven
Published Nov 04, 2012
Tracked Since Feb 18, 2026