Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2014-3596

Published: 27/08/2014 Updated: 13/02/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Axis

Vulnerability Summary

The getCN function in Apache Axis 1.4 and previous versions does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle malicious users to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache axis 1.0

apache axis 1.1

apache axis 1.2

apache axis 1.2.1

apache axis

apache axis 1.3

Vendor Advisories

Debian CVElist Bug Report Logs: Insecure certificate validation CVE-2014-3596
Debian Bug report logs - #762444 Insecure certificate validation CVE-2014-3596 Package: axis; Maintainer for axis is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Raphael Hertzog <hertzog@debianorg> Date: Mon, 22 Sep 2014 12:03:02 UTC Severity: grave Tags: patch, security Fixe ...
Amazon Linux AMI: ALAS-2014-412
It was discovered that Axis incorrectly extracted the host name from an X509 certificate subject's Common Name (CN) field A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X509 certificate (CVE-2014-3596) ...
Red Hat: CVE-2014-3596
It was discovered that Axis incorrectly extracted the host name from an X509 certificate subject's Common Name (CN) field A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X509 certificate ...

References

NVD-CWE-Otherhttp://www.openwall.com/lists/oss-security/2014/08/20/2https://issues.apache.org/jira/browse/AXIS-2905http://www.securitytracker.com/id/1030745http://www.securityfocus.com/bid/69295http://rhn.redhat.com/errata/RHSA-2014-1193.htmlhttp://secunia.com/advisories/61222http://linux.oracle.com/errata/ELSA-2014-1193.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/95377http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762444https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2014-3596https://alas.aws.amazon.com/ALAS-2014-412.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook