CVE-2012-5783
Public on 2012-11-04
Modified on 2014-09-19
Description
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | jakarta-commons-httpclient | 2013-03-14 | ALAS-2013-169 | Fixed |
| Amazon Linux 1 | jakarta-commons-httpclient | 2014-09-17 | ALAS-2014-410 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |