CVE-2012-5817 – org.codehaus.xfire:xfire-core

Package

Manager: maven
Name: org.codehaus.xfire:xfire-core
Vulnerable Version: >=0 <=1.2.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00132 pctl0.33555

Details

Improper Input Validation in XFire Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Metadata

Created: 2022-05-17T01:38:40Z
Modified: 2024-02-14T21:29:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5jc8-8xhv-g8qm/GHSA-5jc8-8xhv-g8qm.json
CWE IDs: ["CWE-20", "CWE-295"]
Alternative ID: GHSA-5jc8-8xhv-g8qm
Finding: F184
Auto approve: 1