Description
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Remediation
References
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
http://secunia.com/advisories/51219
http://www.securityfocus.com/bid/56408
http://rhn.redhat.com/errata/RHSA-2013-0269.html
http://rhn.redhat.com/errata/RHSA-2013-0683.html
http://rhn.redhat.com/errata/RHSA-2014-0037.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
Related Vulnerabilities
CVE-2017-16010 Vulnerability in maven package org.webjars.bower:i18next
CVE-2020-8910 Vulnerability in maven package org.webjars.npm:google-closure-library
CVE-2020-17510 Vulnerability in maven package org.apache.shiro:shiro-spring-boot-web-starter
CVE-2021-25915 Vulnerability in npm package changeset
CVE-2020-8141 Vulnerability in maven package org.webjars.npm:dot