Vulnerability Description
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Subversion | 1.4.0 |
| Opensuse | Opensuse | 12.3 |
| Canonical | Ubuntu Linux | 12.04 |
| Apple | Xcode | 6.1.1 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.htmlThird Party Advisory
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-2316-1Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txtPatchVendor Advisory
- https://support.apple.com/HT204427Third Party Advisory
FAQ
What is CVE-2014-3522?
CVE-2014-3522 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certifi...
How severe is CVE-2014-3522?
CVE-2014-3522 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3522?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Subversion, Opensuse Opensuse, Canonical Ubuntu Linux, Apple Xcode.