Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2014-3577

Published: 21/08/2014 Updated: 07/11/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
VMScore: 517
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Httpclient

Vulnerability Summary

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient prior to 4.3.5 and HttpAsyncClient prior to 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle malicious users to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache httpclient

apache httpasyncclient

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2014-3577 Apache HttpComponents hostname verification bypass
Debian Bug report logs - #758086 CVE-2014-3577 Apache HttpComponents hostname verification bypass Package: commons-httpclient; Maintainer for commons-httpclient is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Henri Salo <henri@nervfi> Date: Thu, 14 Aug 2014 07:15:02 UTC Severi ...
Ubuntu Security Notice: commons-httpclient vulnerabilities
Several security issues were fixed in commons-httpclient ...
Red Hat: Moderate: OpenShift Container Platform 4.12.4 security update
Synopsis Moderate: OpenShift Container Platform 4124 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4124 is now available with updates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 bug fix and security update
Synopsis Moderate: OpenShift Container Platform 4103 bug fix and security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to package ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update
Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 632 security update Type/Severity Security Advisory: Important Topic Updated Red Hat JBoss Enterprise Application Platform 632 packages thatfix three security issues are now available for Red Hat Enterprise Linux 5,6, and 7Red Hat Produc ...
Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.5.4 security update
Synopsis Moderate: Migration Toolkit for Containers (MTC) 154 security update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 154 is now availableRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score, whichg ...
Amazon Linux AMI: ALAS-2014-410
Apache Commons HttpClient 3x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid ...
Arch Linux Issues:
Jenkins 2314 and earlier bundles a version of the commons-httpclient library with the vulnerability CVE-2014-3577 that incorrectly verified SSL/TLS certificates, making it susceptible to man-in-the-middle attacks ...

Github Repositories

https://github.com/albfernandez/commons-httpclient-3

Old Commons HttpClient 3.x

Apache HttpComponents Commons HttpClient Welcome to the Commons HttpClient component of the Apache HttpComponents project Licensing Apache HttpComponents Commons HttpClient is licensed under the Apache License 20 See the files called LICENSEtxt and NOTICEtxt for more information About this repo This repo is a fork of HttpClient 3x with the latest svn changes and security

https://github.com/rm-hull/lein-nvd

National Vulnerability Database dependency checker for Clojure projects

nvd-clojure Formerly known as lein-nvd National Vulnerability Database dependency checker tool For a given project, all the jar files from its classpath will be checked for known security vulnerabilities nvd-clojure passes them to a library called DependencyCheck which does the vulnerability analysis Quoting the README from that library: DependencyCheck is a utility th

https://github.com/rm-hull/nvd-clojure

National Vulnerability Database dependency checker for Clojure projects

nvd-clojure Formerly known as lein-nvd National Vulnerability Database dependency checker tool For a given project, all the jar files from its classpath will be checked for known security vulnerabilities nvd-clojure passes them to a library called DependencyCheck which does the vulnerability analysis Quoting the README from that library: DependencyCheck is a utility th

https://github.com/argon-gh-demo/clojure-sample

nvd-clojure Formerly known as lein-nvd National Vulnerability Database dependency checker tool For a given project, all the jar files from its classpath will be checked for known security vulnerabilities nvd-clojure passes them to a library called DependencyCheck which does the vulnerability analysis Quoting the README from that library: DependencyCheck is a utility th

References

NVD-CWE-Otherhttp://seclists.org/fulldisclosure/2014/Aug/48http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.htmlhttp://secunia.com/advisories/60713http://secunia.com/advisories/60589https://access.redhat.com/solutions/1165533http://rhn.redhat.com/errata/RHSA-2014-1146.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1166.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1892.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1891.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1836.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1835.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1834.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1833.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0158.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0125.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0675.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0720.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0765.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0851.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0850.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1177.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1176.htmlhttp://www.ubuntu.com/usn/USN-2769-1https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564http://www.securityfocus.com/bid/69258http://www.securitytracker.com/id/1030812http://www.osvdb.org/110143http://secunia.com/advisories/60466https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782https://exchange.xforce.ibmcloud.com/vulnerabilities/95327http://rhn.redhat.com/errata/RHSA-2016-1931.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1773.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1888.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.htmlhttp://www.openwall.com/lists/oss-security/2021/10/06/1https://security.netapp.com/advisory/ntap-20231027-0003/https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086https://usn.ubuntu.com/2769-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook