CVE-2014-3504 — Project Serf vulnerability
10 documents7 sources
Severity
4.0MEDIUMNVD
EPSS
2.1%
top 15.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 19
Latest updateMay 14
Description
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS vector
AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9
Affected Packages2 packages
Also affects: Ubuntu Linux 12.04, 14.04
🔴Vulnerability Details
3GHSA▶
GHSA-4425-mwr9-99xc: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0↗2022-05-14
CVEList▶
CVE-2014-3504: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0↗2014-08-19
OSV▶
CVE-2014-3504: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0↗2014-08-19
📋Vendor Advisories
2💬Community
4Bugzilla▶
CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields↗2014-08-12
Bugzilla▶
CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields [epel-7]↗2014-08-12
Bugzilla▶
CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields [fedora-all]↗2014-08-12
Bugzilla▶
CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields [epel-6]↗2014-08-12