Description
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Remediation
References
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
http://rhn.redhat.com/errata/RHSA-2013-0269.html
http://rhn.redhat.com/errata/RHSA-2013-0683.html
http://rhn.redhat.com/errata/RHSA-2014-0037.html
http://secunia.com/advisories/51219
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
http://www.securityfocus.com/bid/56408
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E
Related Vulnerabilities
CVE-2021-25924 Vulnerability in maven package cd.go.plugin:go-plugin-api
CVE-2022-37223 Vulnerability in maven package com.jflyfox:jflyfox_jfinal
CVE-2017-16150 Vulnerability in npm package wangguojing123
CVE-2020-7760 Vulnerability in maven package org.webjars.bower:codemirror
CVE-2019-17495 Vulnerability in maven package org.webjars.npm:swagger-ui