[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2014-3577

Date: (C)2014-08-22   (M)2017-08-29
 
CVSS Score: 5.8Access Vector: NETWORK
Exploitability Subscore: 8.6Access Complexity: MEDIUM
Impact Subscore: 4.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: NONE











org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Reference:
SECTRACK-1030812
OSVDB-110143
http://seclists.org/fulldisclosure/2014/Aug/48
SECUNIA-60466
SECUNIA-60589
SECUNIA-60713
BID-69258
RHSA-2014:1146
RHSA-2014:1166
RHSA-2014:1833
RHSA-2014:1834
RHSA-2014:1835
RHSA-2014:1836
RHSA-2014:1891
RHSA-2014:1892
RHSA-2015:0125
RHSA-2015:0158
RHSA-2015:0675
RHSA-2015:0720
RHSA-2015:0765
RHSA-2015:0850
RHSA-2015:0851
RHSA-2015:1176
RHSA-2015:1177
USN-2769-1
apache-cve20143577-spoofing(95327)
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
https://access.redhat.com/solutions/1165533
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782

CPE    37
cpe:/a:apache:httpasyncclient:4.0
cpe:/a:apache:httpclient:4.0:beta2
cpe:/a:apache:httpclient:4.0:beta1
cpe:/a:apache:httpasyncclient:4.0.1
...
OVAL    17
oval:org.secpod.oval:def:107433
oval:org.secpod.oval:def:107435
oval:org.secpod.oval:def:203407
oval:org.secpod.oval:def:107389
...

© 2013 SecPod Technologies