Man-in-the-Middlecommons-httpclient:commons-httpclient is a HttpClient component of the Apache HttpComponents project.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). due to not verifing the requesting server's hostname agains existing domain names in the SSL Certificate. The AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.
NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Man-in-the-Middle
commons-httpclient:commons-httpclientis a HttpClient component of the Apache HttpComponents project.Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). due to not verifing the requesting server's hostname agains existing domain names in the SSL Certificate. The
AbstractVerifierdoes not properly verify that the server hostname matches a domain name in the subject'sCommon Name (CN)orsubjectAltNamefield of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Depending on
org.springframework.security.extensions:spring-security-saml2-core:jar:1.0.9.RELEASESee: https://github.com/spring-projects/spring-security-saml/issues/459