diff --git a/en/docs/security-announcements/cve-justifications/2026/CVE-2012-5783.md b/en/docs/security-announcements/cve-justifications/2026/CVE-2012-5783.md new file mode 100644 index 00000000..196c1f52 --- /dev/null +++ b/en/docs/security-announcements/cve-justifications/2026/CVE-2012-5783.md @@ -0,0 +1,37 @@ +--- +title: "CVE-2012-5783" +category: security-announcements +date: July 8 2026 +--- + +# CVE-2012-5783 + +
WSO2 Products impacted: no
+Customer action required: no
+ +--- + +### REPORTED VULNERABILITY + +Apache Commons HttpClient 3.x (as used in the affected component version 3.1.0) does not verify that the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows a man-in-the-middle attacker to spoof a trusted host using an arbitrary valid certificate [^1]. + +### REPORTED PRODUCTS + +- WSO2 API Manager : 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0 + +### WSO2 JUSTIFICATION + +WSO2 API Manager ships a WSO2-maintained fork of Apache Commons HttpClient rather than the upstream `3.1.0` release. In this fork, SSL server hostname verification has been implemented to directly address the missing hostname validation described by `CVE-2012-5783`. This fix is included in `commons-httpclient_3.1.0.wso2v3`, which is the vulnerability-fixed version [^2]. + +Hence, the reported vulnerability is not present in `commons-httpclient_3.1.0.wso2v3` and above. The above-listed products currently bundle a version higher than `commons-httpclient_3.1.0.wso2v3`, so the fix is already in place. + +### CONCLUSION + +- WSO2 products use a WSO2-maintained fork of `commons-httpclient` in which SSL server hostname verification has been implemented. + +Therefore, WSO2 concludes that this vulnerability is **already mitigated in the aforementioned WSO2 products**, and **a dependency upgrade will not be carried out solely based on the detection of CVE-2012-5783**. + +### REFERENCES + +[^1]: [https://nvd.nist.gov/vuln/detail/CVE-2012-5783](https://nvd.nist.gov/vuln/detail/CVE-2012-5783) +[^2]: [https://github.com/wso2/wso2-commons-httpclient/pull/2/](https://github.com/wso2/wso2-commons-httpclient/pull/2/) diff --git a/en/docs/security-announcements/cve-justifications/2026/index.md b/en/docs/security-announcements/cve-justifications/2026/index.md index 342bc86d..a234bd37 100644 --- a/en/docs/security-announcements/cve-justifications/2026/index.md +++ b/en/docs/security-announcements/cve-justifications/2026/index.md @@ -21,4 +21,5 @@ category: security-announcements - [CVE-2019-11358]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2019-11358) - [CVE-2015-9251]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2015-9251) - [CVE-2012-6708]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2012-6708) +- [CVE-2012-5783]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2012-5783) - [Bluebird Memory Leak Vulnerability (NPM)]({{#base_path#}}/security-announcements/cve-justifications/2026/bluebird-memory-leak-vulnerability-npm) diff --git a/en/mkdocs.yml b/en/mkdocs.yml index c61f84b9..ed72b726 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -492,6 +492,7 @@ nav: - 'CVE-2019-11358': 'security-announcements/cve-justifications/2026/CVE-2019-11358.md' - 'CVE-2015-9251': 'security-announcements/cve-justifications/2026/CVE-2015-9251.md' - 'CVE-2012-6708': 'security-announcements/cve-justifications/2026/CVE-2012-6708.md' + - 'CVE-2012-5783': 'security-announcements/cve-justifications/2026/CVE-2012-5783.md' - 'Bluebird Memory Leak Vulnerability (NPM)': 'security-announcements/cve-justifications/2026/bluebird-memory-leak-vulnerability-npm.md' - '2025': - '': 'security-announcements/cve-justifications/2025/index.md'