MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2014-3577

CVSS 5.8v2.0pub. 2014-08-21upd. 2026-05-06

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:N
  • Apache Httpasyncclient

    APP
    Apache
    4.0 – 4.0.1
  • Apache Httpclient

    APP
    Apache
    4.0 – 4.3.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2013-4366CRITICAL9.8ten sam produkt

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509Hostn...

CVE-2026-40542HIGH7.3ten sam produkt

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to acc...

CVE-2025-27820HIGH7.5ten sam produkt

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management a...

CVE-2020-13956MEDIUM5.3ten sam produkt

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in...

CVE-2015-5262MEDIUM4.3ten sam produkt

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the htt...