CVE-2012-5783

Currently unrated

Key Information:

Vendor: Apache
Status: Httpclient
Vendor: CVE Published:; 4 November 2012

Summary

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

http://rhn.redhat.com/errata/RHSA-2013-0681.html

vendor-advisoryx_refsource_REDHAT

https://issues.apache.org/jira/browse/HTTPCLIENT-1265

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-updates/2013-04/msg000...

vendor-advisoryx_refsource_SUSE

Timeline

Vulnerability published
Nov 4, 2012
Vulnerability Reserved
Nov 4, 2012