Improper Certificate Validation (CVE-2012-5783)

Question

Improper Certificate Validation (CVE-2012-5783)

vdenotaris opened this issue 5 years ago · comments

Vincenzo De Notaris commented 5 years ago

Improper Certificate Validation
commons-httpclient:commons-httpclient is a component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Man-in-the-Middle attacks due to not verifying that the requesting server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Depending on

org.springframework.security.extensions:spring-security-saml2-core:jar:1.0.9.RELEASE
See: spring-attic/spring-security-saml#459