Lucene search

[email protected]CVE-2014-5075

HistoryOct 25, 2014 - 9:55 p.m.

CVE-2014-5075

2014-10-2521:55:00

CWE-310

[email protected]

web.nvd.nist.gov

ignite realtime

smack xmpp

api

ssl

spoofing

cve-2014-5075

9.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

31.6%

JSON

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CPENameOperatorVersion
redhat:jboss_fuseredhat jboss fusele6.1.0
igniterealtime:smack_apiigniterealtime smack apile4.0.1

CPE	Name	Operator	Version
redhat:jboss_fuse	redhat jboss fuse	le	6.1.0
igniterealtime:smack_api	igniterealtime smack api	le	4.0.1

References

op-co.de/CVE-2014-5075.html

rhn.redhat.com/errata/RHSA-2015-1176.html

secunia.com/advisories/59915

www.securityfocus.com/bid/69064

9.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

31.6%

JSON

Related for CVE-2014-5075

prion1 nessus1 fedora2 securityvulns2 openvas3 mageia1 redhat1