Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-3603

Опубликовано: 13 авг. 2014
Источник: redhat
CVSS2: 5.8
EPSS Низкий

Описание

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Отчет

This issue did not affect the versions of OpenSAML Java as shipped with Red Hat JBoss Data Virtualization 6, Red Hat JBoss Data Grid 6, Red Hat JBoss Enterprise Application Platform 5 and 6, Red Hat JBoss JBoss Operations Network 3, and Red Hat JBoss Portal 6. These products use a version of Jakarta Commons HttpClient that contains a fix for CVE-2012-5783. Fuse ESB 4 and Fuse Services Framework 2.3 and 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Data Grid 6opensaml-javaNot affected
Red Hat JBoss Data Virtualization 6opensamlNot affected
Red Hat JBoss Enterprise Application Platform 5opensamlNot affected
Red Hat JBoss Enterprise Application Platform 6opensamlNot affected
Red Hat JBoss Enterprise Web Server 1fuse-6Not affected
Red Hat JBoss Enterprise Web Server 1fuse-esb-4Will not fix
Red Hat JBoss Enterprise Web Server 1fuse-esb-7Not affected
Red Hat JBoss Enterprise Web Server 1fuse-sf-2Will not fix
Red Hat JBoss Operations Network 3opensamlNot affected
Red Hat JBoss Portal 5opensamlWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-297
https://bugzilla.redhat.com/show_bug.cgi?id=1131823Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

EPSS

Процентиль: 29%
0.00108
Низкий

5.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-3603

CVSS3: 5.9
ubuntu
почти 7 лет назад

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

nvd логотип

CVE-2014-3603

CVSS3: 5.9
nvd
почти 7 лет назад

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

debian логотип

CVE-2014-3603

CVSS3: 5.9
debian
почти 7 лет назад

The (1) HttpResource and (2) FileBackedHttpResource implementations in ...

github логотип

GHSA-rm7v-gqfg-p2wc

CVSS3: 5.9
github
больше 3 лет назад

Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java

EPSS

Процентиль: 29%
0.00108
Низкий

5.8 Medium

CVSS2