{
  "threat_severity" : "Moderate",
  "public_date" : "2012-10-16T00:00:00Z",
  "bugzilla" : {
    "description" : "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
    "id" : "873317",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "details" : [ "Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate." ],
  "affected_release" : [ {
    "product_name" : "JBEWP 5 for RHEL 5",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0682",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5",
    "package" : "jakarta-commons-httpclient-1:3.1-2.1_patch_01.ep5.el5"
  }, {
    "product_name" : "JBEWP 5 for RHEL 6",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0682",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6",
    "package" : "jakarta-commons-httpclient-1:3.1-2_patch_01.ep5.el6"
  }, {
    "product_name" : "JBoss Enterprise BRMS Platform 5.3",
    "release_date" : "2013-07-01T00:00:00Z",
    "advisory" : "RHSA-2013:1006",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2013-02-19T00:00:00Z",
    "advisory" : "RHSA-2013:0270",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "jakarta-commons-httpclient-1:3.0-7jpp.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2013-02-19T00:00:00Z",
    "advisory" : "RHSA-2013:0270",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "jakarta-commons-httpclient-1:3.1-0.7.el6_3"
  }, {
    "product_name" : "Red Hat Fuse 7.12",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3954",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6.3",
    "release_date" : "2017-04-03T00:00:00Z",
    "advisory" : "RHSA-2017:0868",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5.2",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0679",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0680",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4",
    "package" : "jakarta-commons-httpclient-1:3.1-2.1_patch_01.ep5.el4"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0680",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5",
    "package" : "jakarta-commons-httpclient-1:3.1-2.1_patch_01.ep5.el5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0680",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6",
    "package" : "jakarta-commons-httpclient-1:3.1-2_patch_01.ep5.el6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2017-04-03T00:00:00Z",
    "advisory" : "RHSA-2017:0868",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3.2",
    "release_date" : "2013-12-17T00:00:00Z",
    "advisory" : "RHSA-2013:1853",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3.2.0"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5.3",
    "release_date" : "2013-08-08T00:00:00Z",
    "advisory" : "RHSA-2013:1147",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
  }, {
    "product_name" : "Red Hat JBoss Web Framework Kit 2.2",
    "release_date" : "2013-04-22T00:00:00Z",
    "advisory" : "RHSA-2013:0763",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_framework:2.2.0"
  }, {
    "product_name" : "Red Hat JBoss Web Platform 5.2",
    "release_date" : "2013-03-25T00:00:00Z",
    "advisory" : "RHSA-2013:0681",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0"
  }, {
    "product_name" : "RHEV Manager version 3.3",
    "release_date" : "2014-02-27T00:00:00Z",
    "advisory" : "RHSA-2014:0224",
    "cpe" : "cpe:/a:redhat:rhev_manager:3",
    "package" : "redhat-support-plugin-rhev-0:3.3.0-14.el6ev"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Affected",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Will not fix",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "apache-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Affected",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Portal 4",
    "fix_state" : "Will not fix",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:4"
  }, {
    "product_name" : "Red Hat JBoss Portal 5",
    "fix_state" : "Will not fix",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Affected",
    "package_name" : "jakarta-commons-httpclient",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Not affected",
    "package_name" : "candlepin",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2012-5783\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-5783" ],
  "name" : "CVE-2012-5783",
  "csaw" : false
}