CVE-2014-3522
Severity CVSS v4.0:
Pending analysis
Type:
CWE-297
Improper Validation of Certificate with Host Mismatch
Publication date:
19/08/2014
Last modified:
12/04/2025
Description
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Impact
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:subversion:1.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.4.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:subversion:1.5.7:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237
- http://www.ubuntu.com/usn/USN-2316-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- https://support.apple.com/HT204427
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237
- http://www.ubuntu.com/usn/USN-2316-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- https://support.apple.com/HT204427