REDHAT-BUG-873317

First published: Mon Nov 05 2012(Updated: )

Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2012-5783">CVE-2012-5783</a> to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate. References: [1] <a href="http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf">http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf</a> [2] <a href="https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html">https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html</a> [3] <a href="http://www.sigsac.org/ccs/CCS2012/techprogram.shtml">http://www.sigsac.org/ccs/CCS2012/techprogram.shtml</a>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2012-5783
• agent/source
• agent/severity
• agent/description
• agent/event
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• agent/softwarecombine
• vendor/apache
• canonical/apache commons httpclient
• vendor/amazon
• canonical/amazon flexible payments service