CVE - CVE-2014-3577

CVE-ID
CVE-2014-3577	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FULLDISC:20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack URL:http://seclists.org/fulldisclosure/2014/Aug/48 MISC:http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html CONFIRM:https://access.redhat.com/solutions/1165533 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564 CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782 CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html REDHAT:RHSA-2014:1146 URL:http://rhn.redhat.com/errata/RHSA-2014-1146.html REDHAT:RHSA-2014:1166 URL:http://rhn.redhat.com/errata/RHSA-2014-1166.html REDHAT:RHSA-2014:1833 URL:http://rhn.redhat.com/errata/RHSA-2014-1833.html REDHAT:RHSA-2014:1834 URL:http://rhn.redhat.com/errata/RHSA-2014-1834.html REDHAT:RHSA-2014:1835 URL:http://rhn.redhat.com/errata/RHSA-2014-1835.html REDHAT:RHSA-2014:1836 URL:http://rhn.redhat.com/errata/RHSA-2014-1836.html REDHAT:RHSA-2014:1891 URL:http://rhn.redhat.com/errata/RHSA-2014-1891.html REDHAT:RHSA-2014:1892 URL:http://rhn.redhat.com/errata/RHSA-2014-1892.html REDHAT:RHSA-2015:0158 URL:http://rhn.redhat.com/errata/RHSA-2015-0158.html REDHAT:RHSA-2015:0125 URL:http://rhn.redhat.com/errata/RHSA-2015-0125.html REDHAT:RHSA-2015:0675 URL:http://rhn.redhat.com/errata/RHSA-2015-0675.html REDHAT:RHSA-2015:0720 URL:http://rhn.redhat.com/errata/RHSA-2015-0720.html REDHAT:RHSA-2015:0765 URL:http://rhn.redhat.com/errata/RHSA-2015-0765.html REDHAT:RHSA-2015:0850 URL:http://rhn.redhat.com/errata/RHSA-2015-0850.html REDHAT:RHSA-2015:0851 URL:http://rhn.redhat.com/errata/RHSA-2015-0851.html REDHAT:RHSA-2015:1176 URL:http://rhn.redhat.com/errata/RHSA-2015-1176.html REDHAT:RHSA-2015:1177 URL:http://rhn.redhat.com/errata/RHSA-2015-1177.html REDHAT:RHSA-2015:1888 URL:http://rhn.redhat.com/errata/RHSA-2015-1888.html REDHAT:RHSA-2016:1773 URL:http://rhn.redhat.com/errata/RHSA-2016-1773.html REDHAT:RHSA-2016:1931 URL:http://rhn.redhat.com/errata/RHSA-2016-1931.html UBUNTU:USN-2769-1 URL:http://www.ubuntu.com/usn/USN-2769-1 BID:69258 URL:http://www.securityfocus.com/bid/69258 OSVDB:110143 URL:http://www.osvdb.org/110143 SECTRACK:1030812 URL:http://www.securitytracker.com/id/1030812 SECUNIA:60713 URL:http://secunia.com/advisories/60713 SECUNIA:60589 URL:http://secunia.com/advisories/60589 SECUNIA:60466 URL:http://secunia.com/advisories/60466 XF:apache-cve20143577-spoofing(95327) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
Assigning CNA
N/A
Date Entry Created
20140514	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20140514)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org