Apache Axis did not verify that the server hostname matched the domain name in the subject"s Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name