CVE-2012-5783

Improper Certificate Validation in maven/org.apache.httpcomponents/httpclient

Identifiers

GHSA-3832-9276-x7gf, CVE-2012-5783

Package Slug

maven/org.apache.httpcomponents/httpclient

Vulnerability

Improper Certificate Validation

Description

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected Versions

All versions starting from 3.0 before 4.0

Solution

Upgrade to version 4.0 or above.

Last Modified

2022-07-25

source