CVE-2012-5817

Опубликовано: 04 нояб. 2012

Источник: nvd

CVSS3: 7.4

CVSS2: 5.8

EPSS Низкий

Описание

Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Ссылки

http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/79934
Third Party Advisory
VDB Entry
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/79934
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:amazon:ec2_api_tools_java_library:-:*:*:*:*:*:*:*

cpe:2.3:a:codehaus:xfire:*:*:*:*:*:*:*:*

Версия до 1.2.6 (включая)

EPSS

Процентиль: 33%

0.00132

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

GHSA-5jc8-8xhv-g8qm