SSL Spoofing Vulnerability in Apache Axis2 by The Apache Software Foundation
CVE-2012-5785

Currently unrated

Key Information:

Vendor: Apache
Status: Axis2
Vendor: CVE Published:; 4 November 2012

Summary

The Apache Axis2 software, specifically versions 1.6.2 and earlier, contains a security flaw where the server hostname is not verified against the domain name in the subject's Common Name (CN) or in the subjectAltName field of the X.509 certificate. This oversight allows attackers to execute man-in-the-middle attacks by spoofing SSL servers using arbitrary valid certificates, potentially leading to unauthorized access to sensitive information.

References

http://secunia.com/advisories/51219

third-party-advisoryx_refsource_SECUNIA

https://exchange.xforce.ibmcloud.com/vulnerabilities/79830

vdb-entryx_refsource_XF

http://www.securityfocus.com/bid/56408

vdb-entryx_refsource_BID

Timeline

Vulnerability published
Nov 4, 2012
Vulnerability Reserved
Nov 4, 2012