Skip to content

Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient

Moderate severity GitHub Reviewed Published Oct 17, 2018 to the GitHub Advisory Database • Updated Apr 12, 2024

Package

maven org.apache.httpcomponents:httpclient (Maven)

Affected versions

< 4.3.5

Patched versions

4.3.5

Description

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

References

Published by the National Vulnerability Database Aug 21, 2014
Published to the GitHub Advisory Database Oct 17, 2018
Reviewed Jun 16, 2020
Last updated Apr 12, 2024

Severity

Moderate

EPSS score

1.521%
(87th percentile)

Weaknesses

CVE ID

CVE-2014-3577

GHSA ID

GHSA-cfh5-3ghh-wfjx

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.