CVE-2012-5783 (Medium) detected in commons-httpclient-3.1.jar - autoclosed
mend-for-github-com opened this issue · 1 comments
CVE-2012-5783 - Medium Severity Vulnerability
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Library home page: https://hc.apache.org/httpcomponents-client-ga/
Path to dependency file: ready-mqtt-plugin/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
- ready-api-soapui-pro-3.3.1.jar (Root Library)
- ready-api-soapui-3.3.1.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
- ready-api-soapui-3.3.1.jar
Found in HEAD commit: 72456065a443f2258660fde64bebd87fcbc170bb
Found in base branch: master
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 2 Score Details (5.8)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
Fix Resolution: Apply the appropriate patch for your system. See References.