Input validation error in HttpComponents Client

#VU77628 Input validation error in HttpComponents Client

Published: 2023-06-22

Vulnerability identifier: #VU77628

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-6153

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HttpComponents Client
Universal components / Libraries / Software for developers

Vendor:

Description

The vulnerability allows a remote attacker to modify files on the system.

The vulnerability exists due to Apache Commons HttpClient does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can pass specially crafted input to the application and modify files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Tivoli Application Dependency Discovery Manager

Multiple vulnerabilities in IBM B2B Advanced Communications and IBM Multi-Enterprise Integration Gateway

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Multiple vulnerabilities in IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management

Multiple vulnerabilities in IBM Tivoli Monitoring

Multiple vulnerabilities in IBM Control Desk

Multiple vulnerabilities in APM Linux KVM Agent