Published: 04/04/2019 Updated: 08/04/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) prior to 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle malicious users to spoof SSL servers via an arbitrary valid certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
shibboleth identity provider
shibboleth opensaml java

Synopsis Moderate: Open Liberty 190012 Runtime security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Open Liberty 190012 from the Customer PortalRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerabil ...

Debian Bug report logs - #759470 libopensaml2-java: CVE-2014-3603 Package: libopensaml2-java; Maintainer for libopensaml2-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for libopensaml2-java is src:libopensaml2-java (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilo ...

CWE-297 https://bugzilla.redhat.com/show_bug.cgi?id=1131823 http://shibboleth.net/community/advisories/secadv_20140813.txt http://secunia.com/advisories/60816 https://access.redhat.com/errata/RHSA-2019:4117 https://nvd.nist.gov

CVE-2014-3603

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect