Homepage
About Snyk

Improper Certificate Validation Affecting trino package, versions <445-r0

Severity

 Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.24% (63rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-WOLFILATEST-TRINO-6669404
  • published 19 Apr 2024
  • disclosed 4 Nov 2012
Report a new vulnerability Found a mistake?

Introduced: 4 Nov 2012

CVE-2012-5783 Open this link in a new tab
CWE-295 Open this link in a new tab

How to fix?

Upgrade Wolfi trino to version 445-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream trino package and not the trino package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

CVSS Scores

version 3.1
Expand this section

NVD

Recommended
5.4 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None