{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-08-05T00:00:00", "descriptions": [{"lang": "en", "value": "The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "59915", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59915"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://op-co.de/CVE-2014-5075.html"}, {"name": "RHSA-2015:1176", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"name": "69064", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/69064"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-5075", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "59915", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59915"}, {"name": "http://op-co.de/CVE-2014-5075.html", "refsource": "CONFIRM", "url": "http://op-co.de/CVE-2014-5075.html"}, {"name": "RHSA-2015:1176", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"name": "69064", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69064"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:34:37.436Z"}, "title": "CVE Program Container", "references": [{"name": "59915", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59915"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://op-co.de/CVE-2014-5075.html"}, {"name": "RHSA-2015:1176", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"name": "69064", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/69064"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-5075", "datePublished": "2014-10-25T21:00:00", "dateReserved": "2014-07-24T00:00:00", "dateUpdated": "2024-08-06T11:34:37.436Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:*", "matchCriteriaId": "882CD859-9180-4AF7-A5E1-9CAB574CA667", "versionEndIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:igniterealtime:smack_api:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD53CC15-FD13-4D63-B286-5D0FE7D7DC49", "versionEndIncluding": "4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "La API Ignite Realtime Smack XMPP 4.x anterior a 4.0.2, y 3.x y 2.x cuando se utiliza un SSLContext personalizado, no verifica que el nombre del servidor coincide con un nombre de dominio en el campo de asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle suplantar los servidores SSL a trav\u00e9s de un certificado v\u00e1lido arbitrario."}], "id": "CVE-2014-5075", "lastModified": "2016-11-28T19:12:33.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-25T21:55:04.177", "references": [{"source": "cve@mitre.org", "url": "http://op-co.de/CVE-2014-5075.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/59915"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/69064"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:1176", "cpe": "cpe:/a:redhat:jboss_fuse:6.2.0", "product_name": "Red Hat JBoss Fuse 6.2", "release_date": "2015-06-23T00:00:00Z"}], "bugzilla": {"description": "smack: MitM vulnerability", "id": "1127276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1127276"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "details": ["The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control."], "name": "CVE-2014-5075", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "smack", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Under investigation", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Under investigation", "package_name": "fuse-esb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2014-08-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-5075\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-5075"], "threat_severity": "Moderate", "upstream_fix": "smack 4.0.2, smack-tcp 4.0.2, smack-core 4.0.2"}