Vulnerability Description
The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Afnetworking Project | Afnetworking | <= 2.5.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/76242
- https://github.com/AFNetworking/AFNetworking/issues/2619
- https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3
- https://owncloud.org/security/advisory/?id=oc-sa-2015-012Vendor Advisory
- http://www.securityfocus.com/bid/76242
- https://github.com/AFNetworking/AFNetworking/issues/2619
- https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3
- https://owncloud.org/security/advisory/?id=oc-sa-2015-012Vendor Advisory
FAQ
What is CVE-2015-3996?
CVE-2015-3996 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a serv...
How severe is CVE-2015-3996?
CVE-2015-3996 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-3996?
Check the references section above for vendor advisories and patch information. Affected products include: Afnetworking Project Afnetworking.