EUVD-2014-9563

Malware in sbrugna...

EUVD-2014-4974

Malware in sbrugna...

CVE-2016-10027

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response...

Race condition

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response...

CVE-2016-10027

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response...

Man In The Middle (MitM)

Smack XMPP library is vulnerable to man-in-the-middle MitM attacks. This is because the security of the TLS connection is not always enforced, making it vulnerable to MitM. By stripping the "starttls" feature from the server response with a man-in-the-middle tool, an attacker can force the client...

Updated smack packages fix security vulnerabilities

Updated smack packages fix security vulnerabilities: The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers...

Design/Logic Flaw

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof...

CVE-2014-5075

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof...

CVE-2014-5075

CVE-2014-5075 : The Ignite Realtime Smack XMPP API (4.x before 4.0.2; 3.x and 2.x when a custom SSLContext is used) does not verify that the SSL certificate’s CN or SAN matches the server hostname, enabling man-in-the-middle with an arbitrary valid certificate. This is a hostname verification fla...

CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java

CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java =================================================================== Smack http://www.igniterealtime.org/projects/smack/ is an Open Source XMPP Jabber client library for instant messaging and presence written in Java. Smack prior ...

Important: Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.2 update

Red Hat JBoss BRMS 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base score...

Important: Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.0.2 update

Red Hat JBoss BPM Suite 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base...

Design/Logic Flaw

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute...

Design/Logic Flaw

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...

CVE-2014-0364

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute...

CVE-2014-0363

CVE-2014-0363 affects Ignite Realtime Smack XMPP API: ServerTrustManager fails to verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, enabling MITM spoofing of servers and potential data leakage. The vulnerability is in the Smack API prior to 4.0.0-rc1. Remed...

Ignite Realtime Smack XMPP API contains multiple vulnerabilities

Overview Ignite Realtime's Smack XMPP API ServerTrustManger trusts unauthorized SSL certificates CWE-358 and IQ requests do not verify the from attribute allowing anyone to spoof IQ responses. CWE-345 Description CWE-358:Improperly Implemented Security Check for Standard- CVE-2014-0363 The...