CVE-2012-5784

Exp

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2012-11-04 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2012-5784 is rated High Exploit Risk (74.6/100): CVSS Medium severity, with high exploitation likelihood (EPSS 5.72%, 92th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +4.16% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2012-5784

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2012-5784

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.57% 5.72% +4.16%
2 2026-03-11 1.20% 1.57% +0.36%
3 2025-12-01 1.20%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2012-5784

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
8.6 4.9 [email protected]

Weakness enumeration for CVE-2012-5784

GitHub Security Advisory for CVE-2012-5784

GHSA-55w9-c3g2-4rrh · Severity: medium · Ecosystem: maven — Man-in-the-middle attack in Apache Axis

OS Trackers for CVE-2012-5784

vendor priority summary link
debian low CVE-2012-5784 low priority: Debian including 1 source packages (axis), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2012-5784
redhat medium https://access.redhat.com/security/cve/CVE-2012-5784
suse medium CVE-2012-5784 severity moderate: SUSE including 11 source package names (axis-1.4-11.65, axis-1.4-150200.13.6.4, …), 22 product×package rows across 20 product lines (SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Module for Basesystem 15, … (20 product lines)): Fixed 22. https://www.suse.com/security/cve/CVE-2012-5784/
ubuntu low CVE-2012-5784 low priority: Ubuntu including 1 source packages (axis), 15 status rows across 15 suites (hardy, lucid, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 8, ignored 5, DNE 1, released 1. https://ubuntu.com/security/CVE-2012-5784

Affected software / configurations for CVE-2012-5784

Vendor Product Version Raw CPE
apache activemq <= 5.7.0 cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
apache axis <= 1.4 cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:alpha1:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:alpha2:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:alpha3:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:beta1:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:beta2:*:*:*:*:*:*
apache axis cpe:2.3:a:apache:axis:-:beta3:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:*:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:beta:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:rc1:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:rc2:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:*:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:beta:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:rc1:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:rc2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:*:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:alpha:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta1:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta3:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc1:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc3:*:*:*:*:*:*
apache axis 1.2.1 cpe:2.3:a:apache:axis:1.2.1:*:*:*:*:*:*:*
apache axis 1.3 cpe:2.3:a:apache:axis:1.3:*:*:*:*:*:*:*
paypal mass_pay cpe:2.3:a:paypal:mass_pay:-:*:*:*:*:*:*:*
paypal payments_pro cpe:2.3:a:paypal:payments_pro:-:*:*:*:*:*:*:*
paypal transactional_information_soap cpe:2.3:a:paypal:transactional_information_soap:-:*:*:*:*:*:*:*

References for CVE-2012-5784

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
http://rhn.redhat.com/errata/RHSA-2013-0269.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0683.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0037.html Third Party Advisory
http://secunia.com/advisories/51219
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Exploit Technical Description
http://www.securityfocus.com/bid/56408 Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E
cvelogic Threat Intelligence