cpe:/a:amazon:flexible_payments_service:- cpe:/a:apache:commons-httpclient:3.0 cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~ cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~ cpe:/o:canonical:ubuntu_linux:15.04 CVE-2012-5783 2012-11-04T17:55:03.297-05:00 2018-01-04T21:29:32.993-05:00 5.8 NETWORK MEDIUM NONE PARTIAL PARTIAL NONE http://nvd.nist.gov 2015-11-24T12:19:01.707-05:00 BID 58073 REDHAT RHSA-2013:0270 REDHAT RHSA-2013:0679 REDHAT RHSA-2013:0680 REDHAT RHSA-2013:0681 REDHAT RHSA-2013:0682 REDHAT RHSA-2013:1147 REDHAT RHSA-2013:1853 REDHAT RHSA-2014:0224 REDHAT RHSA-2017:0868 UBUNTU USN-2769-1 XF apache-commons-ssl-spoofing(79984) MISC http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf CONFIRM https://issues.apache.org/jira/browse/HTTPCLIENT-1265 SUSE openSUSE-SU-2013:0354 SUSE openSUSE-SU-2013:0622 SUSE openSUSE-SU-2013:0623 SUSE openSUSE-SU-2013:0638 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.