CVE-2012-5784

Apache Axis <= 1.4 - Man-in-the-Middle Attack via SSL Certificate Hostname Mismatch

Title source: llm
STIX 2.1

Description

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0269.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0037.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51219
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0683.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/56408
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
Exploit, Technical Description x_refsource_misc
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Scores

EPSS 0.0572
EPSS Percentile 92.2%

Details

CWE
CWE-20
Status published
Products (13)
apache/activemq < 5.7.0
apache/axis (6 CPE variants)
apache/axis 1.0 (4 CPE variants)
apache/axis 1.1 (4 CPE variants)
apache/axis 1.2 (8 CPE variants)
apache/axis 1.2.1
apache/axis 1.3
apache/axis < 1.4
axis/axis 0Maven
org.apache.axis/axis 0Maven
... and 3 more
Published Nov 04, 2012
Tracked Since Feb 18, 2026