PT-2012-6096 · Paypal+3 · Paypal Payments Pro+6

David Jorm

·

Published

2012-11-04

·

Updated

2020-10-07

·

CVE-2012-5784

CVSS v2.0

5.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions Apache Axis versions 1.4 and earlier
Description The issue allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate because it does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This affects products such as PayPal Payments Pro, PayPal Mass Pay, and PayPal Transactional Information SOAP, as well as the Java Message Service implementation in Apache ActiveMQ.
Recommendations For Apache Axis versions 1.4 and earlier, consider updating to a version that properly verifies the server hostname against the X.509 certificate to prevent SSL server spoofing. As a temporary workaround, restrict access to sensitive services utilizing Apache Axis to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2012-5784
DLA-169-1
GHSA-55W9-C3G2-4RRH
MGASA-2013-0200
OPENSUSE-SU-2019:1497-1
OPENSUSE-SU-2019_1497-1
OPENSUSE-SU-2019_1526-1
OPENSUSE-SU-2024:10646-1
RHSA-2013:0269
RHSA-2013:0683
RHSA-2013_0269
RHSA-2013_0683
RHSA-2014:0037
RHSA-2014:1123
SUSE-SU-2019:1373-1
SUSE-SU-2019:1373-2
SUSE-SU-2019:1382-1
SUSE-SU-2019_1373-1
SUSE-SU-2019_1373-2
SUSE-SU-2019_1382-1

Affected Products

Apache Activemq
Apache Axis
Paypal Mass Pay
Paypal Payments Pro
Paypal Transactional Information Soap
Red Hat
Suse