CVE-2014-3522
MEDIUM severity · CVSS 4 · CWE-297
4CVSS MEDIUM
Summary
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impactNone
Exploit probability (EPSS)6%
AV:N/AC:H/Au:N/C:P/I:P/A:N
Affected products we track (2)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.htmlAdvisory
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.htmlAdvisory
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996