CVE-2014-3577
6.7 Medium
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
74.4%
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a “CN=” string in a field in the distinguished name (DN) of a certificate, as demonstrated by the “foo,CN=www.apache.org” string in the O field.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache:httpclient | apache httpclient | le | 4.3.4 |
| apache:httpasyncclient | apache httpasyncclient | le | 4.0.1 |
References
lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
rhn.redhat.com/errata/RHSA-2014-1146.html
rhn.redhat.com/errata/RHSA-2014-1166.html
rhn.redhat.com/errata/RHSA-2014-1833.html
rhn.redhat.com/errata/RHSA-2014-1834.html
rhn.redhat.com/errata/RHSA-2014-1835.html
rhn.redhat.com/errata/RHSA-2014-1836.html
rhn.redhat.com/errata/RHSA-2014-1891.html
rhn.redhat.com/errata/RHSA-2014-1892.html
rhn.redhat.com/errata/RHSA-2015-0125.html
rhn.redhat.com/errata/RHSA-2015-0158.html
rhn.redhat.com/errata/RHSA-2015-0675.html
rhn.redhat.com/errata/RHSA-2015-0720.html
rhn.redhat.com/errata/RHSA-2015-0765.html
rhn.redhat.com/errata/RHSA-2015-0850.html
rhn.redhat.com/errata/RHSA-2015-0851.html
rhn.redhat.com/errata/RHSA-2015-1176.html
rhn.redhat.com/errata/RHSA-2015-1177.html
rhn.redhat.com/errata/RHSA-2015-1888.html
rhn.redhat.com/errata/RHSA-2016-1773.html
rhn.redhat.com/errata/RHSA-2016-1931.html
seclists.org/fulldisclosure/2014/Aug/48
secunia.com/advisories/60466
secunia.com/advisories/60589
secunia.com/advisories/60713
www.openwall.com/lists/oss-security/2021/10/06/1
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.osvdb.org/110143
www.securityfocus.com/bid/69258
www.securitytracker.com/id/1030812
www.ubuntu.com/usn/USN-2769-1
access.redhat.com/solutions/1165533
exchange.xforce.ibmcloud.com/vulnerabilities/95327
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
security.netapp.com/advisory/ntap-20231027-0003/
Social References
More
Related
6.7 Medium
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
74.4%