Skip to navigation

CVE Database

CVE-2012-5783

Impact: Moderate
Public: 2012-10-16
Bugzilla: 873317: CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

Details

The MITRE CVE dictionary describes this issue as:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Find out more about CVE-2012-5783 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 4.3
Base Metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1006 July 01, 2013
RHEV-M for Servers (redhat-support-plugin-rhev) RHSA-2014:0224 February 27, 2014
Red Hat Enterprise Linux version 5 (jakarta-commons-httpclient) RHSA-2013:0270 February 19, 2013
Red Hat Enterprise Linux version 6 (jakarta-commons-httpclient) RHSA-2013:0270 February 19, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2013:0680 March 25, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2013:0680 March 25, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2013:0680 March 25, 2013
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0679 March 25, 2013
Red Hat JBoss Operations Network 3.2 RHSA-2013:1853 December 17, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2013:1147 August 08, 2013
Red Hat JBoss Web Framework Kit 2.2 RHSA-2013:0763 April 22, 2013
Red Hat JBoss Web Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2013:0682 March 25, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2013:0682 March 25, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2013:0682 March 25, 2013
Red Hat JBoss Web Platform 5.2 RHSA-2013:0681 March 25, 2013

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.