Skip to content

Man-in-the-Middle (CVE-2012-6153) #79

New issue
New issue
Open
Open
Man-in-the-Middle (CVE-2012-6153)#79
Assignees
vdenotaris
Labels
kind/bugCategorizes issue or pull request as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.
@vdenotaris

Description

@vdenotaris
vdenotaris
opened on Oct 2, 2019

Man-in-the-Middle
commons-httpclient:commons-httpclient is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). due to not verifing the requesting server's hostname agains existing domain names in the SSL Certificate. The AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.

NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Depending on

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or pull request as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions