Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
AV:N/AC:M/Au:N/C:P/I:P/A:NApache Activemq
APPApache≤ 5.7.0Apache Axis
APPApache1.01.11.21.2.11.3≤ 1.4Paypal Mass Pay
APPPaypalwszystkie wersjePaypal Payments Pro
APPPaypalwszystkie wersjePaypal Transactional Information Soap
APPPaypalwszystkie wersje
Related vulnerabilities
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a ...
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and exec...
** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvio...
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may a...