Описание
The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | smack | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | anything | Under investigation | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-6 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esq-7 | Will not fix | ||
| Red Hat JBoss BPMS 6.0 | smack | Fixed | RHSA-2014:0819 | 30.06.2014 |
| Red Hat JBoss BRMS 6.0 | smack | Fixed | RHSA-2014:0818 | 30.06.2014 |
| Red Hat JBoss Fuse 6.2 | Fixed | RHSA-2015:1176 | 23.06.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS2
Связанные уязвимости
The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
EPSS
4.3 Medium
CVSS2