Vulnerability Description
DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ldaptive | Ldaptive | < 1.0.5 |
| Ldaptive | Vt-Ldap | < 3.3.8 |
Related Weaknesses (CWE)
References
- http://shibboleth.net/community/advisories/secadv_20140919.txtThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1140438Issue TrackingPatchThird Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/226Third Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/227Third Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/228Third Party Advisory
- http://shibboleth.net/community/advisories/secadv_20140919.txtThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1140438Issue TrackingPatchThird Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/226Third Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/227Third Party Advisory
- https://code.google.com/archive/p/vt-middleware/issues/228Third Party Advisory
FAQ
What is CVE-2014-3607?
CVE-2014-3607 is a vulnerability with a CVSS score of 5.9 (MEDIUM). DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which a...
How severe is CVE-2014-3607?
CVE-2014-3607 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3607?
Check the references section above for vendor advisories and patch information. Affected products include: Ldaptive Ldaptive, Ldaptive Vt-Ldap.