{"containers": {"cna": {"affected": [{"product": "Identity Provider (IdP)", "vendor": "Shibboleth; OpenSAML Java", "versions": [{"status": "affected", "version": "< 2.4.1"}]}, {"product": "OpenSAML Java", "vendor": "Shibboleth; OpenSAML Java", "versions": [{"status": "affected", "version": "< 2.6.2"}]}], "datePublic": "2014-08-13T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-04T13:38:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "60816", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60816"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3603", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Identity Provider (IdP)", "version": {"version_data": [{"version_value": "< 2.4.1"}]}}, {"product_name": "OpenSAML Java", "version": {"version_data": [{"version_value": "< 2.6.2"}]}}]}, "vendor_name": "Shibboleth; OpenSAML Java"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "60816", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60816"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"name": "http://shibboleth.net/community/advisories/secadv_20140813.txt", "refsource": "CONFIRM", "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.020Z"}, "title": "CVE Program Container", "references": [{"name": "60816", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60816"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3603", "datePublished": "2019-04-04T13:38:16", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.020Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shibboleth:identity_provider:*:*:*:*:*:*:*:*", "matchCriteriaId": "2177E37A-0186-42E0-AE79-501FEA214B55", "versionEndExcluding": "2.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shibboleth:opensaml_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CA3675A-CA2A-4D06-A32B-68D7ED42AD01", "versionEndExcluding": "2.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "Las implementaciones de (1) HttpResource y (2) FileBackedHttpResource en el Proveedor de Identidad (IdP) de Shibboleth, en versiones anteriores a la 2.4.1, y en OpenSAML Java, en su versi\u00f3n 2.6.2, no verifican que el nombre de host del servidor se corresponda con un nombre de dominio en el campo \"Common Name\" (CN) del asunto o en el campo \"subjectAltName\" del certificado X.509. Esto permite a los atacantes Man-in-the-Middle (MitM) suplantar los servidores SSL a trav\u00e9s de un certificado arbitrario v\u00e1lido."}], "id": "CVE-2014-3603", "lastModified": "2024-11-21T02:08:29.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-04T14:29:00.240", "references": [{"source": "secalert@redhat.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "http://secunia.com/advisories/60816"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "http://secunia.com/advisories/60816"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-297"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification", "id": "1131823", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "cwe": "CWE-297", "details": ["The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."], "name": "CVE-2014-3603", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "opensaml-java", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-esb-4", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-esb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-sf-2", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "opensaml", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Portal 6"}], "public_date": "2014-08-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3603\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3603"], "statement": "This issue did not affect the versions of OpenSAML Java as shipped with Red Hat JBoss Data Virtualization 6, Red Hat JBoss Data Grid 6, Red Hat JBoss Enterprise Application Platform 5 and 6, Red Hat JBoss JBoss Operations Network 3, and Red Hat JBoss Portal 6. These products use a version of Jakarta Commons HttpClient that contains a fix for CVE-2012-5783.\nFuse ESB 4 and Fuse Services Framework 2.3 and 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", "threat_severity": "Important"}