Moderate severityNVD Advisory· Published Aug 27, 2014· Updated Jun 17, 2026
CVE-2014-3596
CVE-2014-3596
Description
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.axis:axisMaven | <= 1.4 | — |
axis:axisMaven | <= 1.4 | — |
Affected products
28cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*range: <=1.4
- cpe:2.3:a:apache:axis:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.1:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:apache:axis:1.3:*:*:*:*:*:*:*
- ghsa-coords9 versionspkg:maven/axis/axispkg:maven/org.apache.axis/axispkg:rpm/opensuse/axis&distro=openSUSE%20Leap%2015.0pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
<= 1.4+ 8 more
- (no CPE)range: <= 1.4
- (no CPE)range: <= 1.4
- (no CPE)range: < 1.4-lp150.9.1
- (no CPE)range: < 1.4-5.8.1
- (no CPE)range: < 1.4-5.8.1
- (no CPE)range: < 1.4-290.6.1
- (no CPE)range: < 1.4-290.6.1
- (no CPE)range: < 1.4-290.6.1
- (no CPE)range: < 1.4-290.6.1
Patches
Vulnerability mechanics
References
29- issues.apache.org/jira/browse/AXIS-2905nvdPatchWEB
- github.com/advisories/GHSA-r53v-vm87-f72cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3596ghsaADVISORY
- linux.oracle.com/errata/ELSA-2014-1193.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-1193.htmlnvdWEB
- www.openwall.com/lists/oss-security/2014/08/20/2nvdWEB
- access.redhat.com/errata/RHSA-2014:1193ghsaWEB
- access.redhat.com/errata/RHSA-2015:1010ghsaWEB
- access.redhat.com/security/cve/CVE-2014-3596ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/95377nvdWEB
- lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3EnvdWEB
- lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3EnvdWEB
- lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3EnvdWEB
- lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3EnvdWEB
- lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3EnvdWEB
- lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3EghsaWEB
- web.archive.org/web/20160815194947/http://www.securitytracker.com/id/1030745ghsaWEB
- web.archive.org/web/20200227173427/http://www.securityfocus.com/bid/69295ghsaWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdWEB
- secunia.com/advisories/61222nvd
- www.securityfocus.com/bid/69295nvd
- www.securitytracker.com/id/1030745nvd
News mentions
0No linked articles in our index yet.