{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172"}, {"name": "notyetcommons-cve20143604-sec-bypass(97659)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97659"}, {"name": "RHSA-2015:1888", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3604", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172", "refsource": "CONFIRM", "url": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172"}, {"name": "notyetcommons-cve20143604-sec-bypass(97659)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97659"}, {"name": "RHSA-2015:1888", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, {"name": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml", "refsource": "MISC", "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.760Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172"}, {"name": "notyetcommons-cve20143604-sec-bypass(97659)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97659"}, {"name": "RHSA-2015:1888", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3604", "datePublished": "2014-10-25T00:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.760Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:not_yet_commons_ssl_project:not_yet_commons_ssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BAD6FEE-D3FD-4BEB-A253-5A07D1B49C0C", "versionEndIncluding": "0.3.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "Certificates.java en Not Yet Commons SSL anterior a 0.3.15 no verifica debidamente que el nombre del servidor coincide con el nombre del dominio en el campo del asunto Common Name (CN) del certificado X.509, lo que permite a atacantes man-in-the-middle suplantar servidores SSL a trav\u00e9s de un certificado v\u00e1lido arbitrario."}], "id": "CVE-2014-3604", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-25T00:55:03.023", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97659"}, {"source": "secalert@redhat.com", "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97659"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Arun Babu Neelicattu (Red Hat Product Security).", "affected_release": [{"advisory": "RHSA-2015:1888", "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3", "package": "commons-ssl", "product_name": "Red Hat JBoss SOA Platform 5.3", "release_date": "2015-10-12T00:00:00Z"}], "bugzilla": {"description": "SSL: Hostname verification susceptible to MITM attack", "id": "1131803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131803"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "cwe": "CWE-228->CWE-297", "details": ["Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This could be exploited by a man-in-the-middle attacker by spoofing a valid certificate using a specially crafted subject."], "name": "CVE-2014-3604", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4", "fix_state": "Will not fix", "package_name": "commons-ssl", "product_name": "Red Hat JBoss SOA Platform 4"}], "public_date": "2014-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3604\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3604"], "statement": "Red Hat JBoss SOA Platform 4 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", "threat_severity": "Important"}