GHSA-273v-g3x4-r3rc

Suggest an improvement
Source
https://github.com/advisories/GHSA-273v-g3x4-r3rc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-273v-g3x4-r3rc/GHSA-273v-g3x4-r3rc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-273v-g3x4-r3rc
Aliases
  • CVE-2014-3607
Published
2022-05-14T03:47:38Z
Modified
2023-11-08T03:57:39.571742Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Improper Certificate Validation in vt-ldap
Details

DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

Affected packages

Maven / edu.vt.middleware:vt-ldap

Package

Name
edu.vt.middleware:vt-ldap
View open source insights on deps.dev
Purl
pkg:maven/edu.vt.middleware/vt-ldap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.8

Affected versions

3.*

3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7

Maven / edu.internet2.middleware:shibboleth-identityprovider

Package

Name
edu.internet2.middleware:shibboleth-identityprovider
View open source insights on deps.dev
Purl
pkg:maven/edu.internet2.middleware/shibboleth-identityprovider

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.2