Moderate severityNVD Advisory· Published Apr 4, 2019· Updated Aug 6, 2024

CVE-2014-3603

Description

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
edu.internet2.middleware:shibboleth-identityproviderMaven	< 2.4.1	2.4.1
org.opensaml:opensamlMaven	< 2.6.2	2.6.2

Affected products

Shibboleth; Opensaml Java/Opensaml Javav5
Range: < 2.6.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/60816mitrethird-party-advisoryx_refsource_SECUNIA
github.com/advisories/GHSA-rm7v-gqfg-p2wcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3603ghsaADVISORY
shibboleth.net/community/advisories/secadv_20140813.txtghsax_refsource_CONFIRMWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000