CVE-2014-3577
- Reference to the description:
- Description:
- org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
- Last updated date:
- 10/27/2023
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 06/16/2021
- Reference url to background
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 06/16/2021
- Reference url to background