QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2014-3577

Back to search

CVE-2014-3577

Published: Aug 21, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

VendorProductVersions

n/a

n/a

affected
n/a

References

RHSA-2014:1891
vendor-advisory
RHSA-2015:0765
vendor-advisory
110143
vdb-entry
RHSA-2015:0675
vendor-advisory
60713
third-party-advisory
RHSA-2015:0720
vendor-advisory
RHSA-2014:1166
vendor-advisory
RHSA-2015:1888
vendor-advisory
RHSA-2014:1833
vendor-advisory
RHSA-2015:0850
vendor-advisory
RHSA-2015:0158
vendor-advisory
RHSA-2014:1834
vendor-advisory
60466
third-party-advisory
RHSA-2015:0125
vendor-advisory
RHSA-2015:1176
vendor-advisory
RHSA-2016:1931
vendor-advisory
RHSA-2014:1146
vendor-advisory
RHSA-2015:1177
vendor-advisory
69258
vdb-entry
RHSA-2014:1892
vendor-advisory
RHSA-2015:0851
vendor-advisory
RHSA-2014:1835
vendor-advisory
1030812
vdb-entry
USN-2769-1
vendor-advisory
60589
third-party-advisory
RHSA-2014:1836
vendor-advisory
RHSA-2016:1773
vendor-advisory
openSUSE-SU-2020:1873
vendor-advisory
openSUSE-SU-2020:1875
vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now