Alberto Fernández

**Name of the Vulnerable Software and Affected Versions** Apache Commons HttpClient versions 3.x **Description** The issue arises from the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. The vulnerability can be exploited by persuading a victim to visit a Web site containing a specially-crafted certificate, enabling attackers to conduct spoofing attacks using man-in-the-middle techniques. **Recommendations** For Apache Commons HttpClient version 3.x, consider upgrading to a newer version of the Apache HttpComponents HttpClient module, such as version 4.0 or later, which has patched this issue. As a temporary workaround, restrict the use of SSL connections to trusted servers with verified certificates. Avoid using the vulnerable Apache Commons HttpClient version 3.x for sensitive transactions until a patch is applied or an upgrade is performed.