Lucene search

[email protected]NVD:CVE-2014-9365

HistoryDec 12, 2014 - 11:59 a.m.

CVE-2014-9365

2014-12-1211:59:07

[email protected]

web.nvd.nist.gov

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

9.2

Confidence

High

EPSS

0.006

Percentile

79.0%

JSON

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or © subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected configurations

Nvd

Node

pythonpythonMatch2.0

pythonpythonMatch2.0.1

pythonpythonMatch2.1

pythonpythonMatch2.1.1

pythonpythonMatch2.1.2

pythonpythonMatch2.1.3

pythonpythonMatch2.2

pythonpythonMatch2.2.1

pythonpythonMatch2.2.2

pythonpythonMatch2.2.3

pythonpythonMatch2.3.1

pythonpythonMatch2.3.2

pythonpythonMatch2.3.3

pythonpythonMatch2.3.4

pythonpythonMatch2.3.5

pythonpythonMatch2.3.7

pythonpythonMatch2.4.1

pythonpythonMatch2.4.2

pythonpythonMatch2.4.3

pythonpythonMatch2.4.4

pythonpythonMatch2.4.6

pythonpythonMatch2.5.1

pythonpythonMatch2.5.2

pythonpythonMatch2.5.3

pythonpythonMatch2.5.4

pythonpythonMatch2.5.6

pythonpythonMatch2.5.150

pythonpythonMatch2.6.1

pythonpythonMatch2.6.2

pythonpythonMatch2.6.3

pythonpythonMatch2.6.4

pythonpythonMatch2.6.5

pythonpythonMatch2.6.6

pythonpythonMatch2.6.7

pythonpythonMatch2.6.8

pythonpythonMatch2.6.2150

pythonpythonMatch2.6.6150

pythonpythonMatch2.7.1

pythonpythonMatch2.7.1rc1

pythonpythonMatch2.7.2rc1

pythonpythonMatch2.7.3

pythonpythonMatch2.7.4

pythonpythonMatch2.7.5

pythonpythonMatch2.7.6

pythonpythonMatch2.7.7

pythonpythonMatch2.7.8

pythonpythonMatch2.7.1150

pythonpythonMatch2.7.1150x64

pythonpythonMatch2.7.2150

pythonpythonMatch3.0

pythonpythonMatch3.0.1

pythonpythonMatch3.1

pythonpythonMatch3.1.1

pythonpythonMatch3.1.2

pythonpythonMatch3.1.3

pythonpythonMatch3.1.4

pythonpythonMatch3.1.5

pythonpythonMatch3.1.2150x64

pythonpythonMatch3.2

pythonpythonMatch3.2alpha

pythonpythonMatch3.2.0

pythonpythonMatch3.2.1

pythonpythonMatch3.2.2

pythonpythonMatch3.2.3

pythonpythonMatch3.2.4

pythonpythonMatch3.2.5

pythonpythonMatch3.2.6

pythonpythonMatch3.2.2150

pythonpythonMatch3.3

pythonpythonMatch3.3beta2

pythonpythonMatch3.3.0

pythonpythonMatch3.3.1

pythonpythonMatch3.3.1rc1

pythonpythonMatch3.3.2

pythonpythonMatch3.3.3

pythonpythonMatch3.3.3rc1

pythonpythonMatch3.3.3rc2

pythonpythonMatch3.3.4

pythonpythonMatch3.3.4rc1

pythonpythonMatch3.3.5-

pythonpythonMatch3.3.5rc1

pythonpythonMatch3.3.5rc2

pythonpythonMatch3.3.6rc1

pythonpythonMatch3.4alpha1

pythonpythonMatch3.4.0

pythonpythonMatch3.4.1

pythonpythonMatch3.4.2

Node

applemac_os_xRange≤10.10.4

References

bugs.python.org/issue22417

lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

www.openwall.com/lists/oss-security/2014/12/11/1

www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

www.securityfocus.com/bid/71639

access.redhat.com/errata/RHSA-2016:1166

access.redhat.com/errata/RHSA-2017:1162

access.redhat.com/errata/RHSA-2017:1868

security.gentoo.org/glsa/201503-10

support.apple.com/kb/HT205031

www.python.org/dev/peps/pep-0476/

www.python.org/downloads/release/python-279/

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

9.2

Confidence

High

EPSS

0.006

Percentile

79.0%

JSON

Related for NVD:CVE-2014-9365

debiancve1 nessus18 openvas9 mageia1 ibm4 centos2 redhat4 cve1 ubuntucve1 veracode1 f51 prion1 cvelist1 amazon1 archlinux1 oraclelinux1 gentoo1 rosalinux1 securityvulns2