Vulnerabilities > CVE-2012-6107 - Cryptographic Issues vulnerability in Apache Axis2/C

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
CWE-310
NVD
Published: 2014-09-29
Updated: 2023-02-13

Summary

Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Vulnerable Configurations

Part Description Count
Application
Apache
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 57267 CVE(CAN) ID: CVE-2012-6107 Axis2是一个用C语言实现的Web服务引擎。 Apache Axis2/C在实现上存在安全绕过漏洞,成功利用后可允许攻击者执行中间人攻击或模拟受信任的服务器。 0 Apache Group Axis2/C 厂商补丁: Apache Group ------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://httpd.apache.org/
idSSV:60589
last seen2017-11-19
modified2013-01-14
published2013-01-14
reporterRoot
titleApache Axis2/C SSL证书验证安全绕过漏洞

References