Published: 19/08/2014 Updated: 30/10/2018

CVSS v2 Base Score: 4 | Impact Score: 4.9 | Exploitability Score: 4.9

VMScore: 356

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N

The Serf RA layer in Apache Subversion 1.4.0 up to and including 1.7.x prior to 1.7.18 and 1.8.x prior to 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle malicious users to spoof servers via a crafted certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache subversion 1.7.17
apache subversion 1.8.7
apache subversion 1.8.5
apache subversion 1.8.6
apache subversion 1.7.13
apache subversion 1.7.14
apache subversion 1.7.7
apache subversion 1.7.8
apache subversion 1.6.14
apache subversion 1.6.15
apache subversion 1.6.21
apache subversion 1.6.23
apache subversion 1.6.9
apache subversion 1.5.0
apache subversion 1.5.8
apache subversion 1.4.0
apache subversion 1.8.2
apache subversion 1.8.3
apache subversion 1.8.4
apache subversion 1.7.11
apache subversion 1.7.12
apache subversion 1.7.5
apache subversion 1.7.6
apache subversion 1.6.12
apache subversion 1.6.13
apache subversion 1.6.2
apache subversion 1.6.20
apache subversion 1.6.7
apache subversion 1.6.8
apache subversion 1.5.6
apache subversion 1.5.7
apache subversion 1.4.5
apache subversion 1.4.6
apache subversion 1.8.0
apache subversion 1.8.1
apache subversion 1.7.1
apache subversion 1.7.10
apache subversion 1.7.3
apache subversion 1.7.4
apache subversion 1.6.1
apache subversion 1.6.10
apache subversion 1.6.11
apache subversion 1.6.18
apache subversion 1.6.19
apache subversion 1.6.5
apache subversion 1.6.6
apache subversion 1.5.4
apache subversion 1.5.5
apache subversion 1.4.3
apache subversion 1.4.4
apache subversion 1.8.8
apache subversion 1.8.9
apache subversion 1.7.16
apache subversion 1.7.0
apache subversion 1.7.15
apache subversion 1.7.2
apache subversion 1.7.9
apache subversion 1.6.0
apache subversion 1.6.16
apache subversion 1.6.17
apache subversion 1.6.3
apache subversion 1.6.4
apache subversion 1.5.1
apache subversion 1.5.2
apache subversion 1.5.3
apache subversion 1.4.1
apache subversion 1.4.2
opensuse opensuse 12.3
opensuse opensuse 13.1
canonical ubuntu linux 12.04
canonical ubuntu linux 14.04
apple xcode 6.1.1

Several security issues were fixed in Subversion ...

The Serf RA layer in Apache Subversion 140 through 17x before 1718 and 18x before 1810 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate ...

CWE-297 http://www.ubuntu.com/usn/USN-2316-1 https://subversion.apache.org/security/CVE-2014-3522-advisory.txt http://www.securityfocus.com/bid/69237 http://secunia.com/advisories/60100 http://secunia.com/advisories/60722 http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html https://support.apple.com/HT204427 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.osvdb.org/109996 http://secunia.com/advisories/59584 http://secunia.com/advisories/59432 https://security.gentoo.org/glsa/201610-05 https://exchange.xforce.ibmcloud.com/vulnerabilities/95311 https://exchange.xforce.ibmcloud.com/vulnerabilities/95090 https://usn.ubuntu.com/2316-1/https://nvd.nist.gov

CVE-2014-3522

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect