CVE-2012-5783

Public on 2012-11-04
Modified on 2014-09-19
Description

It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Severity
Medium
See what this means
CVSS v3 Base Score
3.7
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 jakarta-commons-httpclient 2014-09-17 21:47 ALAS-2014-410
Amazon Linux 1 jakarta-commons-httpclient 2013-03-14 22:04 ALAS-2013-169

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Amazon Linux CVSSv3 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv2 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N