Httpclient
CVE-2014-3577
MEDIUM
Severity by source
AV:N/AC:M/Au:N/C:P/I:P/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:M/Au:N/C:P/I:P/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1,643 maven packages depend on org.apache.httpcomponents:httpclient (341 direct, 1,310 indirect)
Ecosystem-wide dependent count for version 4.3.5.
DescriptionCVE.org
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
AnalysisAI
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.
Technical ContextAI
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. Affected products include: Apache Httpclient, Apache Httpasyncclient. Version information: before 4.3.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Httpclient
View allhttp/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifie
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host na
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, d
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request U
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.t
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources s
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today