Vulnerability Details : CVE-2012-6153
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Vulnerability category: Input validation
Products affected by CVE-2012-6153
- cpe:2.3:a:apache:commons-httpclient:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-6153
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-6153
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-6153
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-6153
-
http://rhn.redhat.com/errata/RHSA-2015-0851.html
RHSA-2015:0851 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1836.html
Red Hat Customer PortalThird Party Advisory
-
http://svn.apache.org/viewvc?view=revision&revision=1411705
[Apache-SVN] Revision 1411705Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0850.html
RHSA-2015:0850 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
HPSBMU03584 rev.2 - HPE Network Node Manager I (NNMi), Multiple Remote VulnerabilitiesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1129916
1129916 – (CVE-2012-6153) CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fixIssue Tracking;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1892.html
RHSA-2014:1892 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/solutions/1165533
Do CVE-2012-6153 and CVE-2014-3577 affect Red Hat products? - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0720.html
RHSA-2015:0720 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0765.html
RHSA-2015:0765 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/69257
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2015-0675.html
RHSA-2015:0675 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-1888.html
RHSA-2015:1888 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2769-1
USN-2769-1: Apache Commons HttpClient vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0125.html
Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1833.html
RHSA-2014:1833 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1834.html
RHSA-2014:1834 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1835.html
Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0158.html
RHSA-2015:0158 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1891.html
RHSA-2014:1891 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1098.html
RHSA-2014:1098 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to