GHSA-r53v-vm87-f72c

Suggest an improvement
Source
https://github.com/advisories/GHSA-r53v-vm87-f72c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r53v-vm87-f72c/GHSA-r53v-vm87-f72c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r53v-vm87-f72c
Aliases
Published
2018-10-16T20:50:58Z
Modified
2024-12-07T05:39:24.989989Z
Summary
Improper Validation of Certificates in apache axis
Details

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Database specific
{
    "nvd_published_at": "2014-08-27T00:55:00Z",
    "cwe_ids": [
        "CWE-297"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:53:43Z"
}
References

Affected packages

Maven / org.apache.axis:axis

Package

Name
org.apache.axis:axis
View open source insights on deps.dev
Purl
pkg:maven/org.apache.axis/axis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.4

Affected versions

1.*

1.4

Maven / axis:axis

Package

Name
axis:axis
View open source insights on deps.dev
Purl
pkg:maven/axis/axis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.4

Affected versions

1.*

1.0
1.1-beta
1.1
1.2-alpha-1
1.2-beta-2
1.2-beta-3
1.2-RC1
1.2-RC2
1.2-RC3
1.2
1.2.1
1.3
1.4