Vulnerability Description
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Shibboleth | Identity Provider | < 2.4.1 |
| Shibboleth | Opensaml Java | < 2.6.2 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/60816Permissions RequiredThird Party Advisory
- http://shibboleth.net/community/advisories/secadv_20140813.txtVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1131823ExploitIssue TrackingThird Party Advisory
- http://secunia.com/advisories/60816Permissions RequiredThird Party Advisory
- http://shibboleth.net/community/advisories/secadv_20140813.txtVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1131823ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2014-3603?
CVE-2014-3603 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain n...
How severe is CVE-2014-3603?
CVE-2014-3603 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3603?
Check the references section above for vendor advisories and patch information. Affected products include: Shibboleth Identity Provider, Shibboleth Opensaml Java.