Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2012-5783

Public on 2012-11-04
Modified on 2014-09-19
Description

It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Severity
Medium
See what this means
CVSS v3 Base Score
3.7
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 jakarta-commons-httpclient 2014-09-17 21:47 ALAS-2014-410
Amazon Linux 1 jakarta-commons-httpclient 2013-03-14 22:04 ALAS-2013-169

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Amazon Linux CVSSv3 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv2 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N