Improper Validation of Certificate with Host Mismatch

CVE-2014-3603

Medium

5.9/10

Summary

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java up to 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-297 - Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

References

Advisory

Advisory Timeline

Published Apr 04, 2019

Improper Validation of Certificate with Host Mismatch

CVE-2014-3603

Summary

CWE-297 - Improper Validation of Certificate with Host Mismatch

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS