CVE-2015-3455

2015-05-1815:59:00

CWE-20

[email protected]

web.nvd.nist.gov

squid

ssl

ssl-bump

vulnerability

ssl server spoofing

cve-2015-3455

nvd

5.9 Medium

AI Score

Confidence

Low

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.017 Low

EPSS

Percentile

87.5%

JSON

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

CPENameOperatorVersion
oracle:solarisoracle solariseq11.2
oracle:linuxoracle linuxeq7
squid-cache:squidsquid-cache squideq3.2.0.18
squid-cache:squidsquid-cache squideq3.3.3
squid-cache:squidsquid-cache squideq3.5.2
squid-cache:squidsquid-cache squideq3.2.0.9
squid-cache:squidsquid-cache squideq3.3.11
squid-cache:squidsquid-cache squideq3.3.0.1
squid-cache:squidsquid-cache squideq3.3.5
squid-cache:squidsquid-cache squideq3.2.0.1

CPE	Name	Operator	Version
oracle:solaris	oracle solaris	eq	11.2
oracle:linux	oracle linux	eq	7
squid-cache:squid	squid-cache squid	eq	3.2.0.18
squid-cache:squid	squid-cache squid	eq	3.3.3
squid-cache:squid	squid-cache squid	eq	3.5.2
squid-cache:squid	squid-cache squid	eq	3.2.0.9
squid-cache:squid	squid-cache squid	eq	3.3.11
squid-cache:squid	squid-cache squid	eq	3.3.0.1
squid-cache:squid	squid-cache squid	eq	3.3.5
squid-cache:squid	squid-cache squid	eq	3.2.0.1