5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
smack is vulnerable to man-in-the-middle. A lack of verification of the basicConstraints
and nameConstraints
in the ServerTrustManager
component for the X.509 certificate chains from the SSL server would allow attackers to spoof a server and perform MITM attacks via a crafted certificate chain to obtain confidential information.
community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released
issues.igniterealtime.org/browse/SMACK-410
rhn.redhat.com/errata/RHSA-2015-1176.html
secunia.com/advisories/59290
secunia.com/advisories/59291
www.kb.cert.org/vuls/id/489228
www.securityfocus.com/bid/67119
github.com/igniterealtime/Smack/commit/93030c218c62cf0a0a8ea48746db1452fa34033c