github - ghsa-55w9-c3g2-4rrh

ghsa-55w9-c3g2-4rrh

Vulnerability from github

Published

2020-10-07 17:51

Modified

2020-10-07 17:50

Summary

Man-in-the-middle attack in Apache Axis

Details

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-5784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-07T17:50:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
  "id": "GHSA-55w9-c3g2-4rrh",
  "modified": "2020-10-07T17:50:33Z",
  "published": "2020-10-07T17:51:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5784"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79829"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0269.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0683.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0037.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/51219"
    },
    {
      "type": "WEB",
      "url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/56408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Man-in-the-middle attack in Apache Axis"
}

cve-2012-5784

Vulnerability from cvelistv5

Published

2012-11-04 22:00

Modified

2024-08-06 21:14

Severity

Summary

References

URL	Tags
http://rhn.redhat.com/errata/RHSA-2013-0269.html	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2014-0037.html	vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/51219	third-party-advisory, x_refsource_SECUNIA
http://rhn.redhat.com/errata/RHSA-2013-0683.html	vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/56408	vdb-entry, x_refsource_BID
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829	vdb-entry, x_refsource_XF
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf	x_refsource_MISC
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E	mailing-list, x_refsource_MLIST
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html	vendor-advisory, x_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html	vendor-advisory, x_refsource_SUSE
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website