You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar
Dependency Hierarchy:
foxtrot-common-6.3.1-7.jar (Root Library)
common-utils-1.4.jar
maven-dependency-plugin-3.1.1.jar
maven-reporting-impl-2.3.jar
doxia-core-1.2.jar
❌ httpclient-4.2.5.jar (Vulnerable Library)
httpclient-4.0.2.jar
HttpComponents Client (base module)
Path to dependency file: /foxtrot-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
mend-for-github-combot
changed the title
CVE-2014-3577 (Medium) detected in httpclient-4.0.2.jar, httpclient-4.2.5.jar
CVE-2014-3577 (Medium) detected in httpclient-4.2.5.jar, httpclient-4.0.2.jar
Feb 17, 2022
mend-for-github-combot
changed the title
CVE-2014-3577 (Medium) detected in httpclient-4.2.5.jar, httpclient-4.0.2.jar
CVE-2014-3577 (Medium) detected in httpclient-4.2.5.jar, httpclient-4.0.2.jar - autoclosed
Jun 16, 2023
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
CVE-2014-3577 (Medium) detected in httpclient-4.2.5.jar, httpclient-4.0.2.jar - autoclosed
CVE-2014-3577 (Medium) detected in httpclient-4.2.5.jar, httpclient-4.0.2.jar
Jun 21, 2023
CVE-2014-3577 - Medium Severity Vulnerability
Vulnerable Libraries - httpclient-4.2.5.jar, httpclient-4.0.2.jar
httpclient-4.2.5.jar
HttpComponents Client (base module)
Path to dependency file: /foxtrot-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar
Dependency Hierarchy:
httpclient-4.0.2.jar
HttpComponents Client (base module)
Path to dependency file: /foxtrot-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: ffb8a6014463ce8aac1bf6e7dc9a23fc4a2a8adc
Found in base branch: master
Vulnerability Details
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Publish Date: 2014-08-21
URL: CVE-2014-3577
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2014-08-21
Fix Resolution: org.apache.httpcomponents:httpasyncclient:4.0.2, org.apache.httpcomponents:httpclient:4.3.5
The text was updated successfully, but these errors were encountered: