CVE-2012-5783

About vulnerability

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected product:

Apache Commons , Apache Hadoop , Apache Hive , Apache Spark , Apache Struts , Spring , accumulo , agepredictor , avro , cocoon , dropwizard-metrics-hadoop-metrics2-reporter , groovy , hbase , htmlunit , incubator-retired-slider , jets3t , slide-webdavlib , slider-core , tika , typica

Affected packages:

cocoon-faces-sample @ 2.3.0 (+834 more)

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.