CVE-2012-5783

EPSS 0.62%

Improper Certificate Validation in Apache Commons HttpClient

Published: 5/13/2022Modified: 2/4/2026

Also known as:GHSA-3832-9276-x7gfCGA-v9v4-9422-p5gqDEBIAN-CVE-2012-5783

Description

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Note that the Commons HttpClient project is [end of life](https://hc.apache.org/httpclient-legacy/). It has been replaced by the Apache HttpComponents project in its [HttpClient](https://hc.apache.org/httpcomponents-client-5.4.x/) and [HttpCore](https://hc.apache.org/httpcomponents-core-5.3.x/) modules. CVE-2012-5783 has been patched in [v4.0](https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.0/) of the Apache HttpComponents HttpClient module.

Affected packages (3)

Debian/commons-httpclientfrom 0, < 3.1-10.1
Debian/commons-httpclientfrom 0, < 3.1-9+deb6u1
Maven/commons-httpclient:commons-httpclient>= 3.0

Description

Affected packages (3)

References (18)