The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
References
Link | Resource |
---|---|
http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released | Vendor Advisory |
http://issues.igniterealtime.org/browse/SMACK-410 | Issue Tracking Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2015-1176.html | Third Party Advisory |
http://secunia.com/advisories/59290 | Third Party Advisory |
http://secunia.com/advisories/59291 | Third Party Advisory |
http://www.kb.cert.org/vuls/id/489228 | Third Party Advisory US Government Resource |
http://www.securityfocus.com/bid/67119 | Third Party Advisory VDB Entry |
Configurations
History
23 Feb 2021, 16:12
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-295 | |
CPE | cpe:2.3:a:igniterealtime:smack:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-16:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-12:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-11:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-18:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-26:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-21:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-13:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-06:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-10:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.3:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-13:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-09:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-29:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-16:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:*:snapshot-2014-04-15:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-19:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-02:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-21:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-18:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-20:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-25:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-03:*:*:*:*:*:* |
cpe:2.3:a:igniterealtime:smack:*:*:*:*:*:*:*:* |
References | (CONFIRM) http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released - Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/67119 - Third Party Advisory, VDB Entry | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2015-1176.html - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/59290 - Third Party Advisory | |
References | (CONFIRM) http://issues.igniterealtime.org/browse/SMACK-410 - Issue Tracking, Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/59291 - Third Party Advisory | |
References | (CERT-VN) http://www.kb.cert.org/vuls/id/489228 - Third Party Advisory, US Government Resource |
Information
Published : 2014-04-30 10:49
Updated : 2023-12-10 11:31
NVD link : CVE-2014-0363
Mitre link : CVE-2014-0363
CVE.ORG link : CVE-2014-0363
JSON object : View
Products Affected
igniterealtime
- smack
CWE
CWE-295
Improper Certificate Validation