CVE-2014-3577 vulnerability in Apache Products
Published on August 21, 2014

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Products Associated with CVE-2014-3577

stack.watch emails you whenever new vulnerabilities are published in Apache Httpasyncclient or Apache Httpclient. Just hit a watch button to start following.

Apache Httpasyncclient

Apache Httpclient

Exploit Probability

EPSS

2.40%

Percentile

84.80%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2014-3577 vulnerability in Apache ProductsPublished on August 21, 2014

Products Associated with CVE-2014-3577

Exploit Probability

CVE-2014-3577 vulnerability in Apache Products
Published on August 21, 2014