GHSA-3832-9276-x7gf

Suggest an improvement
Source
https://github.com/advisories/GHSA-3832-9276-x7gf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3832-9276-x7gf
Aliases
  • CVE-2012-5783
Published
2022-05-13T01:10:34Z
Modified
2024-03-14T22:02:33.751135Z
Summary
Improper Certificate Validation in apache HttpClient
Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

Affected packages

Maven / commons-httpclient:commons-httpclient

Package

Name
commons-httpclient:commons-httpclient
View open source insights on deps.dev
Purl
pkg:maven/commons-httpclient/commons-httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0
Fixed
4.0

Affected versions

3.*

3.0
3.0.1
3.1-alpha1
3.1-beta1
3.1-rc1
3.1
3.1-jenkins-1
3.1-jenkins-2
3.1-jenkins-3