CVE-2014-3577

Source
https://nvd.nist.gov/vuln/detail/CVE-2014-3577
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2014-3577.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2014-3577
Aliases
Related
Published
2014-08-21T14:55:05Z
Modified
2024-09-11T02:00:06Z
Summary
[none]
Details

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

References

Affected packages

Debian:11 / commons-httpclient

Package

Name
commons-httpclient
Purl
pkg:deb/debian/commons-httpclient?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / commons-httpclient

Package

Name
commons-httpclient
Purl
pkg:deb/debian/commons-httpclient?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / commons-httpclient

Package

Name
commons-httpclient
Purl
pkg:deb/debian/commons-httpclient?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / httpcomponents-client

Package

Name
httpcomponents-client
Purl
pkg:deb/debian/httpcomponents-client?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / httpcomponents-client

Package

Name
httpcomponents-client
Purl
pkg:deb/debian/httpcomponents-client?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / httpcomponents-client

Package

Name
httpcomponents-client
Purl
pkg:deb/debian/httpcomponents-client?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}