Описание
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Ссылки
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Broken Link
- Technical DescriptionThird Party Advisory
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Third Party Advisory
- Third Party AdvisoryVDB Entry
- Issue TrackingPatchVendor Advisory
- Broken Link
- Broken Link
Уязвимые конфигурации
Одно из
EPSS
5.8 Medium
CVSS2
Дефекты
Связанные уязвимости
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Ser ...
Improper Certificate Validation in Apache Commons HttpClient
ELSA-2013-0270: jakarta-commons-httpclient security update (MODERATE)
EPSS
5.8 Medium
CVSS2