Skip to content

Improper Validation of Certificates in apache axis

Moderate severity GitHub Reviewed Published Oct 16, 2018 to the GitHub Advisory Database • Updated Mar 1, 2024

Package

maven axis:axis (Maven)

Affected versions

<= 1.4

Patched versions

None
maven org.apache.axis:axis (Maven)
<= 1.4
None

Description

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

References

Published by the National Vulnerability Database Aug 27, 2014
Published to the GitHub Advisory Database Oct 16, 2018
Reviewed Jun 16, 2020
Last updated Mar 1, 2024

Severity

Moderate

EPSS score

0.212%
(59th percentile)

Weaknesses

CVE ID

CVE-2014-3596

GHSA ID

GHSA-r53v-vm87-f72c

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.