CVE-2014-3577

Опубликовано: 21 авг. 2014

Источник: nvd

CVSS2: 5.8

EPSS Низкий

Описание

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Комментарий

CWE-297: Improper Validation of Certificate with Host Mismatch

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
Exploit
Third Party Advisory
VDB Entry
http://rhn.redhat.com/errata/RHSA-2014-1146.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1166.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1833.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1834.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1835.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1836.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1891.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1892.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0125.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0158.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0675.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0720.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0765.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0850.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0851.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1176.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1177.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*

Версия от 4.0 (включая) до 4.3.4 (включая)

Конфигурация 2

cpe:2.3:a:apache:httpasyncclient:*:*:*:*:*:*:*:*

Версия от 4.0 (включая) до 4.0.1 (включая)

EPSS

Процентиль: 79%

0.01367

Низкий

5.8 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

CVE-2014-3577

ubuntu

около 11 лет назад

CVE-2014-3577

CVSS3: 4.8

redhat

около 11 лет назад

CVE-2014-3577

debian

около 11 лет назад

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents Htt ...

GHSA-cfh5-3ghh-wfjx

github

почти 7 лет назад

Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient

ELSA-2014-1166

oracle-oval

почти 11 лет назад

ELSA-2014-1166: jakarta-commons-httpclient security update (IMPORTANT)

EPSS

Процентиль: 79%

0.01367

Низкий

5.8 Medium

CVSS2

Дефекты

NVD-CWE-Other