[Forgot Password]
Login  Register Subscribe

24128

 
 

131573

 
 

111017

 
 

909

 
 

86402

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2014-3577Date: (C)2014-08-22   (M)2018-07-19


org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : CVSS Score : 5.8
Exploit Score: Exploit Score: 8.6
Impact Score: Impact Score: 4.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: Access Vector: NETWORK
Attack Complexity: Access Complexity: MEDIUM
Privileges Required: Authentication: NONE
User Interaction: Confidentiality: PARTIAL
Scope: Integrity: PARTIAL
Confidentiality: Availability: NONE
Integrity:  
Availability:  
  
Reference:
SECTRACK-1030812
OSVDB-110143
http://seclists.org/fulldisclosure/2014/Aug/48
SECUNIA-60466
SECUNIA-60589
SECUNIA-60713
BID-69258
RHSA-2014:1146
RHSA-2014:1166
RHSA-2014:1833
RHSA-2014:1834
RHSA-2014:1835
RHSA-2014:1836
RHSA-2014:1891
RHSA-2014:1892
RHSA-2015:0125
RHSA-2015:0158
RHSA-2015:0675
RHSA-2015:0720
RHSA-2015:0765
RHSA-2015:0850
RHSA-2015:0851
RHSA-2015:1176
RHSA-2015:1177
RHSA-2015:1888
RHSA-2016:1773
RHSA-2016:1931
USN-2769-1
apache-cve20143577-spoofing(95327)
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://access.redhat.com/solutions/1165533
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782

CPE    37
cpe:/a:apache:httpasyncclient:4.0
cpe:/a:apache:httpclient:4.0:beta2
cpe:/a:apache:httpclient:4.0:beta1
cpe:/a:apache:httpasyncclient:4.0.1
...
OVAL    17
oval:org.secpod.oval:def:107433
oval:org.secpod.oval:def:107435
oval:org.secpod.oval:def:203407
oval:org.secpod.oval:def:107389
...

© SecPod Technologies