CVE-2012-6153

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

References

http://rhn.redhat.com/errata/RHSA-2014-1098.html

http://rhn.redhat.com/errata/RHSA-2014-1833.html

http://rhn.redhat.com/errata/RHSA-2014-1834.html

http://rhn.redhat.com/errata/RHSA-2014-1835.html

http://rhn.redhat.com/errata/RHSA-2014-1836.html

http://rhn.redhat.com/errata/RHSA-2014-1891.html

http://rhn.redhat.com/errata/RHSA-2014-1892.html

http://rhn.redhat.com/errata/RHSA-2015-0125.html

http://rhn.redhat.com/errata/RHSA-2015-0158.html

http://rhn.redhat.com/errata/RHSA-2015-0675.html

http://rhn.redhat.com/errata/RHSA-2015-0720.html

http://rhn.redhat.com/errata/RHSA-2015-0765.html

http://rhn.redhat.com/errata/RHSA-2015-0850.html

http://rhn.redhat.com/errata/RHSA-2015-0851.html

http://rhn.redhat.com/errata/RHSA-2015-1888.html

http://svn.apache.org/viewvc?view=revision&revision=1411705

http://www.securityfocus.com/bid/69257

http://www.ubuntu.com/usn/USN-2769-1

https://access.redhat.com/solutions/1165533

https://bugzilla.redhat.com/show_bug.cgi?id=1129916

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564

Details

Source: MITRE

Published: 2014-09-04

Updated: 2018-01-05

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:commons-httpclient:*:*:*:*:*:*:*:* versions from 4.0 to 4.2.2 (inclusive)

Tenable Plugins

View all (19 total)

IDNameProductFamilySeverity
149787IBM WebSphere Application Server 8.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.20 / 9.0.x < 9.0.5.8 Multiple VulnerabilitiesNessusWeb Servers
high
94419FreeBSD : Axis2 -- Security vulnerabilities on dependency Apache HttpClient (ac18046c-9b08-11e6-8011-005056925db4)NessusFreeBSD Local Security Checks
medium
86401Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : commons-httpclient vulnerabilities (USN-2769-1)NessusUbuntu Local Security Checks
medium
85712RHEL 6 : Virtualization Manager (RHSA-2015:0158)NessusRed Hat Local Security Checks
medium
83545Debian DLA-222-1 : commons-httpclient security updateNessusDebian Local Security Checks
medium
82850IBM WebSphere Portal 8.0.0.x < 8.0.0.1 CF15 Multiple VulnerabilitiesNessusCGI abuses
medium
80159RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:2019)NessusRed Hat Local Security Checks
medium
79205RHEL 5 / 6 : JBoss EAP (RHSA-2014:1834)NessusRed Hat Local Security Checks
medium
79204RHEL 5 / 6 : JBoss EWP (RHSA-2014:1833)NessusRed Hat Local Security Checks
medium
79042RHEL 6 : devtoolset-2-httpcomponents-client (RHSA-2014:1098)NessusRed Hat Local Security Checks
medium
78353Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2014-410)NessusAmazon Linux Local Security Checks
medium
78008RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2014:1321)NessusRed Hat Local Security Checks
medium
78007RHEL 4 / 5 / 6 : JBoss EWP (RHSA-2014:1320)NessusRed Hat Local Security Checks
medium
77649Mandriva Linux Security Advisory : jakarta-commons-httpclient (MDVSA-2014:170)NessusMandriva Local Security Checks
medium
77561RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1162)NessusRed Hat Local Security Checks
medium
77445Fedora 19 : httpcomponents-client-4.2.5-4.fc19 (2014-9629)NessusFedora Local Security Checks
medium
77444Fedora 20 : httpcomponents-client-4.2.5-4.fc20 (2014-9617)NessusFedora Local Security Checks
medium
77399Fedora 20 : jakarta-commons-httpclient-3.1-15.fc20 (2014-9581)NessusFedora Local Security Checks
medium
77396Fedora 19 : jakarta-commons-httpclient-3.1-15.fc19 (2014-9539)NessusFedora Local Security Checks
medium