org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2014-08-21T00:00:00
Updated: 2023-10-27T14:07:16.016530
Reserved: 2014-05-14T00:00:00
Link: CVE-2014-3577
JSON object: View
NVD Information
Status : Modified
Published: 2014-08-21T14:55:05.100
Modified: 2023-11-07T02:20:13.943
Link: CVE-2014-3577
JSON object: View
Redhat Information
No data.
CWE