CVE-2014-5075 — Smack API vulnerability

CWE-3106 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 60.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Igniterealtime Smack API Redhat Jboss Fuse

Timeline

PublishedOct 25

Latest updateMay 17

Description

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDigniterealtime/smack_api4.0.1

▶NVDredhat/jboss_fuse6.1.0

🔴Vulnerability Details

GHSA

GHSA-pxxv-xr7h-7624: The Ignite Realtime Smack XMPP API 4↗2022-05-17

▶

CVEList

CVE-2014-5075: The Ignite Realtime Smack XMPP API 4↗2014-10-25

▶

📋Vendor Advisories

Red Hat

smack: MitM vulnerability↗2014-08-05

▶

💬Community

Bugzilla

CVE-2014-5075 smack: MitM vulnerability↗2014-08-06

▶

Bugzilla

CVE-2014-5075 smack: MitM vulnerability [fedora-all]↗2014-08-06

▶