Vulnerability Details : CVE-2014-5075
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Products affected by CVE-2014-5075
- cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:*
- cpe:2.3:a:igniterealtime:smack_api:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5075
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5075
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2014-5075
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5075
-
http://rhn.redhat.com/errata/RHSA-2015-1176.html
RHSA-2015:1176 - Security Advisory - Red Hat Customer Portal
-
http://op-co.de/CVE-2014-5075.html
-
http://www.securityfocus.com/bid/69064
Ignite Realtime Smack 'Hostname' Verification SSL Certificate Security Bypass Vulnerability
Jump to