CVE-2014-3603

First published: Wed Aug 20 2014(Updated: )

It was discovered that HttpResource and FileBackedHttpResource implementations in OpenSAML Java and Shibboleth IdP did not enable hostname verification when using TLS connections. Additionaly, OpenSAML Java makes use of Jakarta Commons HttpClient version 3.x, which does not perform verification of the server hostname against the server's X.508 certificate (<a href="https://access.redhat.com/security/cve/CVE-2012-5783">CVE-2012-5783</a>). This flaw can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• agent/first-publish-date
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2014-3603
• agent/software-canonical-lookup
• agent/weakness
• agent/severity
• agent/last-modified-date
• agent/references
• agent/author
• agent/description
• agent/tags
• agent/event
• agent/trending
• vendor/shibboleth
• canonical/shibboleth identity provider
• canonical/shibboleth opensaml java
• package-manager/redhat