CWE-297
AllowedImproper Validation of Certificate with Host Mismatch
Abstraction: Variant · Status: Incomplete
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
99 vulnerabilities reference this CWE, most recent first.
GHSA-H83P-72JV-G7VP
Vulnerability from github – Published: 2024-08-31 00:31 – Updated: 2024-11-13 18:52A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.kroxylicious:kroxylicious-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8285"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-03T20:17:06Z",
"nvd_published_at": "2024-08-30T22:15:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
"id": "GHSA-h83p-72jv-g7vp",
"modified": "2024-11-13T18:52:35Z",
"published": "2024-08-31T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
},
{
"type": "WEB",
"url": "https://github.com/kroxylicious/kroxylicious/commit/8be1efcb0a2160fa3ad4cb0e5a27e60160774dce"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8285"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
},
{
"type": "PACKAGE",
"url": "https://github.com/kroxylicious/kroxylicious"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Missing hostname validation in Kroxylicious"
}
GHSA-H8VM-65GC-GW46
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.
{
"affected": [],
"aliases": [
"CVE-2024-38324"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T01:15:40Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.",
"id": "GHSA-h8vm-65gc-gw46",
"modified": "2024-09-25T03:30:35Z",
"published": "2024-09-25T03:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38324"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HW58-3793-42GG
Vulnerability from github – Published: 2025-04-30 17:24 – Updated: 2025-08-07 15:47A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3501"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-30T17:24:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. By setting a verification policy to \u0027ANY\u0027, the trust store certificate verification is skipped, which is unintended.",
"id": "GHSA-hw58-3793-42gg",
"modified": "2025-08-07T15:47:35Z",
"published": "2025-04-30T17:24:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-hw58-3793-42gg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/39350"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/39366"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/99ca24c832729075e04d8bc58666089268314272"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358834"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak hostname verification"
}
GHSA-JW9P-3GC4-84RW
Vulnerability from github – Published: 2024-09-03 15:30 – Updated: 2024-09-05 15:33Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
{
"affected": [],
"aliases": [
"CVE-2024-7346"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T15:15:16Z",
"severity": "HIGH"
},
"details": "Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.\u00a0 This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.\u00a0 The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.",
"id": "GHSA-jw9p-3gc4-84rw",
"modified": "2024-09-05T15:33:34Z",
"published": "2024-09-03T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7346"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX2C-R924-MWCC
Vulnerability from github – Published: 2025-06-18 15:31 – Updated: 2025-06-18 19:42The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.7.1"
},
"package": {
"ecosystem": "NuGet",
"name": "CouchbaseNetClient"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49015"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-18T19:42:25Z",
"nvd_published_at": "2025-06-18T14:15:44Z",
"severity": "MODERATE"
},
"details": "The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.",
"id": "GHSA-px2c-r924-mwcc",
"modified": "2025-06-18T19:42:25Z",
"published": "2025-06-18T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49015"
},
{
"type": "WEB",
"url": "https://github.com/couchbase/couchbase-net-client/commit/04d1679b2178f922036be6e595b3d91f972c5ba3"
},
{
"type": "WEB",
"url": "https://docs.couchbase.com/server/current/release-notes/relnotes.html"
},
{
"type": "WEB",
"url": "https://forums.couchbase.com/tags/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/couchbase/couchbase-net-client"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates"
}
GHSA-PXP5-G66H-WPV2
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-06 19:54Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:view26"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41244"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T13:30:36Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.",
"id": "GHSA-pxp5-g66h-wpv2",
"modified": "2022-12-06T19:54:53Z",
"published": "2022-09-22T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41244"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/view26-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing hostname validation in Jenkins View26 Test-Reporting Plugin"
}
GHSA-R4MC-2XRG-97HV
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
{
"affected": [],
"aliases": [
"CVE-2022-22305"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T12:15:08Z",
"severity": "MODERATE"
},
"details": "An improper certificate validation vulnerability [CWE-295] in\u00a0FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to\u00a0man-in-the-middle the communication between the listed products and some external peers.",
"id": "GHSA-r4mc-2xrg-97hv",
"modified": "2024-04-04T07:21:33Z",
"published": "2023-09-01T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22305"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-18-292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R53V-VM87-F72C
Vulnerability from github – Published: 2018-10-16 20:50 – Updated: 2024-03-01 20:29The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.axis:axis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "axis:axis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3596"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:53:43Z",
"nvd_published_at": "2014-08-27T00:55:00Z",
"severity": "MODERATE"
},
"details": "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.",
"id": "GHSA-r53v-vm87-f72c",
"modified": "2024-03-01T20:29:59Z",
"published": "2018-10-16T20:50:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3596"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227173427/http://www.securityfocus.com/bid/69295"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20160815194947/http://www.securitytracker.com/id/1030745"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/AXIS-2905"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95377"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129935"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2014-3596"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1010"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2014:1193"
},
{
"type": "WEB",
"url": "http://linux.oracle.com/errata/ELSA-2014-1193.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1193.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/20/2"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Validation of Certificates in apache axis"
}
GHSA-R934-W73G-V4P8
Vulnerability from github – Published: 2025-04-29 21:31 – Updated: 2025-06-09 15:31Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.
Original Description
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-30T17:24:10Z",
"nvd_published_at": "2025-04-29T21:15:51Z",
"severity": "HIGH"
},
"details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.\n\n# Original Description\nA flaw was found in Keycloak. By setting a verification policy to \u0027ALL\u0027, the trust store certificate verification is skipped, which is unintended.",
"id": "GHSA-r934-w73g-v4p8",
"modified": "2025-06-09T15:31:36Z",
"published": "2025-04-29T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8672"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358834"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Keycloak hostname verification",
"withdrawn": "2025-04-30T17:24:10Z"
}
GHSA-RM7V-GQFG-P2WC
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-07-07 22:38The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "edu.internet2.middleware:shibboleth-identityprovider"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opensaml:opensaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3603"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T22:38:37Z",
"nvd_published_at": "2019-04-04T14:29:00Z",
"severity": "MODERATE"
},
"details": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"id": "GHSA-rm7v-gqfg-p2wc",
"modified": "2022-07-07T22:38:37Z",
"published": "2022-05-14T01:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3603"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"
},
{
"type": "WEB",
"url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java"
}
Mitigation
Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
No CAPEC attack patterns related to this CWE.