CVE: 2012-6153 found in HttpClient - Version: 3.1 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	HttpClient
Description	The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov
Language	JAVA
Vulnerability	Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
Vulnerability description	org.apache.httpcomponents:httpclient and commons-httpclient:commons-httpclient are vulnerable to man In the middle attacks. The library does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows remote attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.

NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
CVE | 2012-6153
CVSS score | 4.3
Vulnerability present in version/s | 2.0-alpha3-3.1
Found library version/s | 3.1
Vulnerability fixed in version |
Library latest version | 3.1
Fix | No fix version for this range. It is recommended to use an alternative package.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/110?version=3.1
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/1123
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2