SSL Spoofing Vulnerability in Apache Commons HttpClient 3.xused in Amazon Flexible Payments Service
CVE-2012-5783

Currently unrated

Key Information:

Vendor: Apache
Status: Httpclient
Vendor: CVE Published:; 4 November 2012

Summary

The vulnerability exists in Apache Commons HttpClient 3.x, which is utilized by the Amazon Flexible Payments Service merchant Java SDK. It fails to properly verify whether the server hostname aligns with the domain name present in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This oversight enables attackers to perform man-in-the-middle attacks, allowing them to impersonate SSL servers using any valid certificate, thereby compromising secure communications.

References

http://rhn.redhat.com/errata/RHSA-2013-0681.html

vendor-advisoryx_refsource_REDHAT

https://issues.apache.org/jira/browse/HTTPCLIENT-1265

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-updates/2013-04/msg000...

vendor-advisoryx_refsource_SUSE

Timeline

Vulnerability published
Nov 4, 2012
Vulnerability Reserved
Nov 4, 2012