CVE-2014-3522

Опубликовано: 19 авг. 2014

Источник: nvd

CVSS2: 4

EPSS Низкий

Описание

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Комментарий

CWE-297: Improper Validation of Certificate with Host Mismatch

Ссылки

http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
Third Party Advisory
http://secunia.com/advisories/59432
http://secunia.com/advisories/59584
http://secunia.com/advisories/60100
http://secunia.com/advisories/60722
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.osvdb.org/109996
http://www.securityfocus.com/bid/69237
Third Party Advisory
VDB Entry
http://www.ubuntu.com/usn/USN-2316-1
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
https://security.gentoo.org/glsa/201610-05
https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
Patch
Vendor Advisory
https://support.apple.com/HT204427
Third Party Advisory
http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
Third Party Advisory
http://secunia.com/advisories/59432
http://secunia.com/advisories/59584
http://secunia.com/advisories/60100

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:subversion:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.9:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Конфигурация 4

cpe:2.3:a:apple:xcode:6.1.1:*:*:*:*:*:*:*

EPSS

Процентиль: 81%

0.01595

Низкий

4 Medium

CVSS2

Дефекты

CWE-297

Связанные уязвимости

CVE-2014-3522

ubuntu

почти 11 лет назад

CVE-2014-3522

redhat

около 11 лет назад

CVE-2014-3522

debian

почти 11 лет назад

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7. ...

GHSA-962w-gj84-vpr7

github

больше 3 лет назад

BDU:2015-00405

fstec

почти 11 лет назад

Уязвимость программного обеспечения Apache Subversion, позволяющая удаленному злоумышленнику нарушить конфиденциальность и целостность защищаемой информации

EPSS

Процентиль: 81%

0.01595

Низкий

4 Medium

CVSS2

Дефекты

CWE-297