Lucene search

K
cve
Secalert@redhat.comCVE-2014-3577
HistoryAug 21, 2014 - 2:55 p.m.

CVE-2014-3577

2014-08-2114:55:00
NVD-CWE-Other
secalert@redhat.com
web.nvd.nist.gov
202
2
org.apache
http
ssl
apache httpcomponents
httpclient
httpasyncclient
cve-2014-3577
security vulnerability
x.509 certificate
man-in-the-middle
ssl servers

6.7 Medium

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

73.0%

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a “CN=” string in a field in the distinguished name (DN) of a certificate, as demonstrated by the “foo,CN=www.apache.org” string in the O field.

References

Social References

More

Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

6.7 Medium

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

73.0%

Related for CVE-2014-3577