Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0363

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2014-0363
Last Modified 13 Jul 2015 01:41:51
Published 30 Apr 2014 06:49:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-0363

Summary

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

Vulnerable Systems

Application

  • Igniterealtime Smack 2.2.0

  • Igniterealtime Smack 2.2.1

  • Igniterealtime Smack 3.0.0

  • Igniterealtime Smack 3.0.1

  • Igniterealtime Smack 3.0.2

  • Igniterealtime Smack 3.0.3

  • Igniterealtime Smack 3.1.0

  • Igniterealtime Smack 3.2.0

  • Igniterealtime Smack 3.2.1

  • Igniterealtime Smack 3.2.2

  • Igniterealtime Smack 3.3.0

  • Igniterealtime Smack 3.3.1

  • Igniterealtime Smack 3.4.0

  • Igniterealtime Smack 4.0.0

  • Redhat Jboss Fuse 6.1.0


References

CERT-VN - VU#489228

CONFIRM - http://issues.igniterealtime.org/browse/SMACK-410

CONFIRM - http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released

REDHAT - RHSA-2015:1176


Last Updated: 27 May 2016 11:09:12