GHSA-3832-9276-x7gf

Suggest an improvement
Source
https://github.com/advisories/GHSA-3832-9276-x7gf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3832-9276-x7gf
Aliases
Related
Published
2022-05-13T01:10:34Z
Modified
2024-12-06T05:35:03.860614Z
Summary
Improper Certificate Validation in Apache Commons HttpClient
Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Note that the Commons HttpClient project is end of life. It has been replaced by the Apache HttpComponents project in its HttpClient and HttpCore modules. CVE-2012-5783 has been patched in v4.0 of the Apache HttpComponents HttpClient module.

Database specific
{
    "nvd_published_at": "2012-11-04T22:55:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T13:58:59Z"
}
References

Affected packages

Maven / commons-httpclient:commons-httpclient

Package

Name
commons-httpclient:commons-httpclient
View open source insights on deps.dev
Purl
pkg:maven/commons-httpclient/commons-httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0

Affected versions

3.*

3.0
3.0.1
3.1-alpha1
3.1-beta1
3.1-rc1
3.1
3.1-jenkins-1
3.1-jenkins-2
3.1-jenkins-3

Other

20020423

Database specific

{
    "last_known_affected_version_range": "< 4.0"
}