CVE-2014-3522Improper Validation of Certificate with Host Mismatch in Apache Subversion

CWE-297Improper Validation of Certificate with Host MismatchCWE-295Improper Certificate Validation12 documents10 sources
Severity
4.0MEDIUMNVD
EPSS
2.6%
top 14.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache SubversionApple XcodeCanonical Ubuntu Linux+1 more
Timeline
PublishedAug 19
Latest updateMay 14

Description

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages4 packages

Debianapache/subversion< 1.8.10-1+3
NVDapache/subversion67 versions+66
NVDapple/xcode6.1.1
NVDopensuse/opensuse12.3, 13.1+1

Also affects: Ubuntu Linux 12.04, 14.04

Patches

Patch: subversion.apache.orgPatch: subversion.apache.org

🔴Vulnerability Details

4
GHSA
GHSA-962w-gj84-vpr7: The Serf RA layer in Apache Subversion 12022-05-14
OSV
CVE-2014-3522: The Serf RA layer in Apache Subversion 12014-08-19
CVEList
CVE-2014-3522: The Serf RA layer in Apache Subversion 12014-08-19
OSV
subversion vulnerabilities2014-08-14

📋Vendor Advisories

5
Ubuntu
Subversion vulnerabilities2014-08-14
Red Hat
subversion: incorrect SSL certificate validation in Serf RA (repository access) layer2014-08-11
Debian
CVE-2014-3522: subversion - The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8...2014
Apple
CVE-2014-3522: Xcode 6.2
Apache
Apache subversion: CVE-2014-3522

💬Community

2
Bugzilla
CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer [fedora-all]2014-08-11
Bugzilla
CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer2014-08-06
CVE-2014-3522 — Apache Subversion vulnerability | cvebase