VulnerableCode Package Details - pkg:deb/debian/commons-httpclient@3.1-10.2%2Bdeb7u2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3bxq-vmjj-kqfe Aliases: CVE-2014-3577 GHSA-cfh5-3ghh-wfjx	org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.	3.1-11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-3ur6-9s61-13a3 Aliases: CVE-2015-5262 GHSA-fmj5-wv96-r2ch	http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.	3.1-12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3bxq-vmjj-kqfe
Aliases:
CVE-2014-3577
GHSA-cfh5-3ghh-wfjx

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

3.1-11
Affected by 1 other vulnerability.

VCID-3ur6-9s61-13a3
Aliases:
CVE-2015-5262
GHSA-fmj5-wv96-r2ch

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

3.1-12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-da65-c1ce-v7f5	http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.	CVE-2012-6153 GHSA-2x83-r56g-cv47
VCID-m27v-7mbm-nffc	Improper Certificate Validation in Apache Commons HttpClient Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Note that the Commons HttpClient project is [end of life](https://hc.apache.org/httpclient-legacy/). It has been replaced by the Apache HttpComponents project in its [HttpClient](https://hc.apache.org/httpcomponents-client-5.4.x/) and [HttpCore](https://hc.apache.org/httpcomponents-core-5.3.x/) modules. CVE-2012-5783 has been patched in [v4.0](https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.0/) of the Apache HttpComponents HttpClient module.	CVE-2012-5783 GHSA-3832-9276-x7gf

Vulnerability

Summary

Aliases

VCID-da65-c1ce-v7f5

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

CVE-2012-6153
GHSA-2x83-r56g-cv47

VCID-m27v-7mbm-nffc

Improper Certificate Validation in Apache Commons HttpClient Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Note that the Commons HttpClient project is [end of life](https://hc.apache.org/httpclient-legacy/). It has been replaced by the Apache HttpComponents project in its [HttpClient](https://hc.apache.org/httpcomponents-client-5.4.x/) and [HttpCore](https://hc.apache.org/httpcomponents-core-5.3.x/) modules. CVE-2012-5783 has been patched in [v4.0](https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.0/) of the Apache HttpComponents HttpClient module.

CVE-2012-5783
GHSA-3832-9276-x7gf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-15T21:55:09.110948+00:00	Debian Oval Importer	Fixing	VCID-m27v-7mbm-nffc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T20:57:07.523068+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T18:49:41.706455+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T16:20:58.439496+00:00	Debian Oval Importer	Fixing	VCID-da65-c1ce-v7f5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-11T21:33:31.907306+00:00	Debian Oval Importer	Fixing	VCID-m27v-7mbm-nffc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T20:37:29.350273+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T18:34:16.638945+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:08:16.091180+00:00	Debian Oval Importer	Fixing	VCID-da65-c1ce-v7f5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T21:11:44.100515+00:00	Debian Oval Importer	Fixing	VCID-m27v-7mbm-nffc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T20:17:34.247999+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T18:19:26.896227+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:00:53.521246+00:00	Debian Oval Importer	Fixing	VCID-da65-c1ce-v7f5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0