{"id":"GHSA-273v-g3x4-r3rc","summary":"Improper Certificate Validation in vt-ldap","details":"DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.","aliases":["CVE-2014-3607"],"modified":"2023-11-08T03:57:39.571742Z","published":"2022-05-14T03:47:38Z","database_specific":{"cwe_ids":["CWE-295"],"github_reviewed_at":"2022-11-01T22:01:42Z","nvd_published_at":"2018-01-08T19:29:00Z","severity":"MODERATE","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3607"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1140438"},{"type":"WEB","url":"https://code.google.com/archive/p/vt-middleware/issues/226"},{"type":"WEB","url":"https://code.google.com/archive/p/vt-middleware/issues/227"},{"type":"WEB","url":"https://code.google.com/archive/p/vt-middleware/issues/228"},{"type":"WEB","url":"https://code.google.com/archive/p/vt-middleware/source/default/commits"},{"type":"WEB","url":"https://code.google.com/p/vt-middleware/source/detail?r=3046"},{"type":"WEB","url":"http://shibboleth.net/community/advisories/secadv_20140919.txt"}],"affected":[{"package":{"name":"edu.vt.middleware:vt-ldap","ecosystem":"Maven","purl":"pkg:maven/edu.vt.middleware/vt-ldap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.8"}]}],"versions":["3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-273v-g3x4-r3rc/GHSA-273v-g3x4-r3rc.json"}},{"package":{"name":"edu.internet2.middleware:shibboleth-identityprovider","ecosystem":"Maven","purl":"pkg:maven/edu.internet2.middleware/shibboleth-identityprovider"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-273v-g3x4-r3rc/GHSA-273v-g3x4-r3rc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}