com.yubico.java:yubico-validation-client (=2.0RC3), com.yubico:yubico-jaas-module (>=2.0.1 <=3.1.0) +4 more potentially affected by CVE-2014-3607 via edu.vt.middleware:vt-ldap (>=3.3.2 <=3.3.5)

edu.vt.middleware:vt-ldap MAVEN version =3.3.2, =2.0.1, =2.0.0, =2.2.0, =2.0.0, =2.3.0 Source cves: CVE-2014-3607 Source advisory: OSV:GHSA-273V-G3X4-R3RC...

Certificate Spoofing

vt-ldap is vulnerable to certificate spoofing. The library does not properly parse and verify the hostname in certificates, allowing an attacker to spoof SSL Servers by spoofing a certificate in conjunction with a man-in-the-middle MitM attack...

CVE-2014-3607

CVE-2014-3607 affects Ldaptive (formerly vt-ldap) and its DefaultHostnameVerifier, which fails to ensure the server hostname matches a domain name in the X.509 certificate’s CN. This allows remote attackers to perform a MITM spoofing attack by using an arbitrary valid certificate. The issue is ob...