It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | jakarta-commons-httpclient | 2014-09-17 21:47 | ALAS-2014-410 |
Amazon Linux 1 | jakarta-commons-httpclient | 2013-03-14 22:04 | ALAS-2013-169 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Amazon Linux | CVSSv3 | 3.7 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
NVD | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |