From b966f1bc7b6a9b205ea85513c5f36366b5a81813 Mon Sep 17 00:00:00 2001 From: Kavinda Rajapakse Date: Wed, 8 Jul 2026 14:09:16 +0530 Subject: [PATCH 1/2] CVE-2012-5783: Justification --- .../cve-justifications/2012/CVE-2012-5783.md | 37 +++++++++++++++++++ .../cve-justifications/2012/index.md | 8 ++++ .../cve-justifications/index.md | 1 + en/mkdocs.yml | 3 ++ 4 files changed, 49 insertions(+) create mode 100644 en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md create mode 100644 en/docs/security-announcements/cve-justifications/2012/index.md diff --git a/en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md b/en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md new file mode 100644 index 000000000..196c1f522 --- /dev/null +++ b/en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md @@ -0,0 +1,37 @@ +--- +title: "CVE-2012-5783" +category: security-announcements +date: July 8 2026 +--- + +# CVE-2012-5783 + +

WSO2 Products impacted: no

+

Customer action required: no

+ +--- + +### REPORTED VULNERABILITY + +Apache Commons HttpClient 3.x (as used in the affected component version 3.1.0) does not verify that the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows a man-in-the-middle attacker to spoof a trusted host using an arbitrary valid certificate [^1]. + +### REPORTED PRODUCTS + +- WSO2 API Manager : 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0 + +### WSO2 JUSTIFICATION + +WSO2 API Manager ships a WSO2-maintained fork of Apache Commons HttpClient rather than the upstream `3.1.0` release. In this fork, SSL server hostname verification has been implemented to directly address the missing hostname validation described by `CVE-2012-5783`. This fix is included in `commons-httpclient_3.1.0.wso2v3`, which is the vulnerability-fixed version [^2]. + +Hence, the reported vulnerability is not present in `commons-httpclient_3.1.0.wso2v3` and above. The above-listed products currently bundle a version higher than `commons-httpclient_3.1.0.wso2v3`, so the fix is already in place. + +### CONCLUSION + +- WSO2 products use a WSO2-maintained fork of `commons-httpclient` in which SSL server hostname verification has been implemented. + +Therefore, WSO2 concludes that this vulnerability is **already mitigated in the aforementioned WSO2 products**, and **a dependency upgrade will not be carried out solely based on the detection of CVE-2012-5783**. + +### REFERENCES + +[^1]: [https://nvd.nist.gov/vuln/detail/CVE-2012-5783](https://nvd.nist.gov/vuln/detail/CVE-2012-5783) +[^2]: [https://github.com/wso2/wso2-commons-httpclient/pull/2/](https://github.com/wso2/wso2-commons-httpclient/pull/2/) diff --git a/en/docs/security-announcements/cve-justifications/2012/index.md b/en/docs/security-announcements/cve-justifications/2012/index.md new file mode 100644 index 000000000..53849b8b0 --- /dev/null +++ b/en/docs/security-announcements/cve-justifications/2012/index.md @@ -0,0 +1,8 @@ +--- +title: 2012 CVE Justifications +category: security-announcements +--- + +# 2012 CVE Justifications + +- [CVE-2012-5783]({{#base_path#}}/security-announcements/cve-justifications/2012/CVE-2012-5783) diff --git a/en/docs/security-announcements/cve-justifications/index.md b/en/docs/security-announcements/cve-justifications/index.md index 91815874a..1b347abbb 100644 --- a/en/docs/security-announcements/cve-justifications/index.md +++ b/en/docs/security-announcements/cve-justifications/index.md @@ -15,3 +15,4 @@ This section contains clarifications and justifications for the CVEs that are as * [2020 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2020/) * [2019 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2019/) * [2014 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2014/) +* [2012 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2012/) diff --git a/en/mkdocs.yml b/en/mkdocs.yml index c61f84b91..0598d6fc5 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -543,6 +543,9 @@ nav: - '2014': - '': 'security-announcements/cve-justifications/2014/index.md' - 'CVE-2014-3623': 'security-announcements/cve-justifications/2014/CVE-2014-3623.md' + - '2012': + - '': 'security-announcements/cve-justifications/2012/index.md' + - 'CVE-2012-5783': 'security-announcements/cve-justifications/2012/CVE-2012-5783.md' - 'Incident Clarifications': - '': 'security-announcements/incident-clarifications/index.md' - '2026': From 17a1f7639720872b5bae51d1e7cbb5cdb5b4f549 Mon Sep 17 00:00:00 2001 From: Kavinda Rajapakse Date: Wed, 8 Jul 2026 15:42:34 +0530 Subject: [PATCH 2/2] Address review comments --- .../cve-justifications/2012/index.md | 8 -------- .../cve-justifications/{2012 => 2026}/CVE-2012-5783.md | 0 .../cve-justifications/2026/index.md | 1 + .../security-announcements/cve-justifications/index.md | 1 - en/mkdocs.yml | 4 +--- 5 files changed, 2 insertions(+), 12 deletions(-) delete mode 100644 en/docs/security-announcements/cve-justifications/2012/index.md rename en/docs/security-announcements/cve-justifications/{2012 => 2026}/CVE-2012-5783.md (100%) diff --git a/en/docs/security-announcements/cve-justifications/2012/index.md b/en/docs/security-announcements/cve-justifications/2012/index.md deleted file mode 100644 index 53849b8b0..000000000 --- a/en/docs/security-announcements/cve-justifications/2012/index.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -title: 2012 CVE Justifications -category: security-announcements ---- - -# 2012 CVE Justifications - -- [CVE-2012-5783]({{#base_path#}}/security-announcements/cve-justifications/2012/CVE-2012-5783) diff --git a/en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md b/en/docs/security-announcements/cve-justifications/2026/CVE-2012-5783.md similarity index 100% rename from en/docs/security-announcements/cve-justifications/2012/CVE-2012-5783.md rename to en/docs/security-announcements/cve-justifications/2026/CVE-2012-5783.md diff --git a/en/docs/security-announcements/cve-justifications/2026/index.md b/en/docs/security-announcements/cve-justifications/2026/index.md index 342bc86d4..a234bd378 100644 --- a/en/docs/security-announcements/cve-justifications/2026/index.md +++ b/en/docs/security-announcements/cve-justifications/2026/index.md @@ -21,4 +21,5 @@ category: security-announcements - [CVE-2019-11358]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2019-11358) - [CVE-2015-9251]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2015-9251) - [CVE-2012-6708]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2012-6708) +- [CVE-2012-5783]({{#base_path#}}/security-announcements/cve-justifications/2026/CVE-2012-5783) - [Bluebird Memory Leak Vulnerability (NPM)]({{#base_path#}}/security-announcements/cve-justifications/2026/bluebird-memory-leak-vulnerability-npm) diff --git a/en/docs/security-announcements/cve-justifications/index.md b/en/docs/security-announcements/cve-justifications/index.md index 1b347abbb..91815874a 100644 --- a/en/docs/security-announcements/cve-justifications/index.md +++ b/en/docs/security-announcements/cve-justifications/index.md @@ -15,4 +15,3 @@ This section contains clarifications and justifications for the CVEs that are as * [2020 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2020/) * [2019 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2019/) * [2014 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2014/) -* [2012 CVE Justifications]({{#base_path#}}/security-announcements/cve-justifications/2012/) diff --git a/en/mkdocs.yml b/en/mkdocs.yml index 0598d6fc5..ed72b726a 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -492,6 +492,7 @@ nav: - 'CVE-2019-11358': 'security-announcements/cve-justifications/2026/CVE-2019-11358.md' - 'CVE-2015-9251': 'security-announcements/cve-justifications/2026/CVE-2015-9251.md' - 'CVE-2012-6708': 'security-announcements/cve-justifications/2026/CVE-2012-6708.md' + - 'CVE-2012-5783': 'security-announcements/cve-justifications/2026/CVE-2012-5783.md' - 'Bluebird Memory Leak Vulnerability (NPM)': 'security-announcements/cve-justifications/2026/bluebird-memory-leak-vulnerability-npm.md' - '2025': - '': 'security-announcements/cve-justifications/2025/index.md' @@ -543,9 +544,6 @@ nav: - '2014': - '': 'security-announcements/cve-justifications/2014/index.md' - 'CVE-2014-3623': 'security-announcements/cve-justifications/2014/CVE-2014-3623.md' - - '2012': - - '': 'security-announcements/cve-justifications/2012/index.md' - - 'CVE-2012-5783': 'security-announcements/cve-justifications/2012/CVE-2012-5783.md' - 'Incident Clarifications': - '': 'security-announcements/incident-clarifications/index.md' - '2026':