Vulnerability CVE-2014-3522
Published: 2014-08-19

Description:
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Type:

CWE-297

 (Improper Validation of Host-specific Certificate Data)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
4.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Opensuse -> Opensuse 
Novell -> Opensuse 
Canonical -> Ubuntu linux 
Apple -> Xcode 
Apache -> Subversion 

 References:
http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
http://secunia.com/advisories/59432
http://secunia.com/advisories/59584
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.osvdb.org/109996
http://www.securityfocus.com/bid/69237
http://www.ubuntu.com/usn/USN-2316-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
https://security.gentoo.org/glsa/201610-05
https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
https://support.apple.com/HT204427
Copyright 2024, cxsecurity.com

 

Back to Top