CVE-2012-5785

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: Nov 4, 2012
Updated: May 9, 2024
CVE: CVE-2012-5785
GHSA: GHSA-wwq7-pxwc-p4rc
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / axis2	1.6	1.6.x
apache / axis2	1.6.1	1.6.1.x
apache / axis2	1.5.5	1.5.5.x
apache / axis2	1.5.4	1.5.4.x
apache / axis2	1.5.3	1.5.3.x
apache / axis2	1.5.1	1.5.1.x
apache / axis2	1.5.6	1.5.6.x
apache / axis2	-	1.6.2.x
apache / axis2	1.5.2	1.5.2.x
org.apache.axis2 / axis2	-	1.8.0

http://secunia.com/advisories/51219
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
http://www.securityfocus.com/bid/56408
https://exchange.xforce.ibmcloud.com/vulnerabilities/79830
https://issues.apache.org/jira/browse/AXIS2-6018

Vulnerability Database

290,206

CVE-2012-5785