CVE-2012-5783

Public on 2012-11-04
Modified on 2014-09-19
Description
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity
Medium severity
Medium
CVSS v3 Base Score
3.7
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 jakarta-commons-httpclient 2013-03-14 ALAS-2013-169 Fixed
Amazon Linux 1 jakarta-commons-httpclient 2014-09-17 ALAS-2014-410 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Amazon Linux CVSSv3 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv2 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N