CVE-2012-5817: Improper Input Validation

May 17, 2022 (updated July 12, 2022)

Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
exchange.xforce.ibmcloud.com/vulnerabilities/79934
github.com/advisories/GHSA-5jc8-8xhv-g8qm
nvd.nist.gov/vuln/detail/CVE-2012-5817

Code Behaviors & Features

Detect and mitigate CVE-2012-5817 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →