Improper Validation of Certificate with Host Mismatch

Affecting subversion package, versions <1.8.10-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

References

CVSS Score

4.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE
CVE-2014-3522
CWE
CWE-297
Snyk ID
SNYK-DEBIAN9-SUBVERSION-344525
Disclosed
19 Aug, 2014
Published
19 Aug, 2014