ID CVE-2014-0363
Summary The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
References
Vulnerable Configurations
  • Red Hat JBoss Fuse 6.1.0
    cpe:2.3:a:redhat:jboss_fuse:6.1.0
  • igniterealtime Smack 3.4.0
    cpe:2.3:a:igniterealtime:smack:3.4.0
  • igniterealtime Smack 3.3.1
    cpe:2.3:a:igniterealtime:smack:3.3.1
  • igniterealtime Smack 3.3.0
    cpe:2.3:a:igniterealtime:smack:3.3.0
  • igniterealtime Smack 3.2.2
    cpe:2.3:a:igniterealtime:smack:3.2.2
  • igniterealtime Smack 3.2.1
    cpe:2.3:a:igniterealtime:smack:3.2.1
  • igniterealtime Smack 3.2.0
    cpe:2.3:a:igniterealtime:smack:3.2.0
  • igniterealtime Smack 3.1.0
    cpe:2.3:a:igniterealtime:smack:3.1.0
  • igniterealtime Smack 3.0.3
    cpe:2.3:a:igniterealtime:smack:3.0.3
  • igniterealtime Smack 3.0.2
    cpe:2.3:a:igniterealtime:smack:3.0.2
  • igniterealtime Smack 3.0.1
    cpe:2.3:a:igniterealtime:smack:3.0.1
  • igniterealtime Smack 3.0.0
    cpe:2.3:a:igniterealtime:smack:3.0.0
  • igniterealtime Smack 2.2.1
    cpe:2.3:a:igniterealtime:smack:2.2.1
  • igniterealtime Smack 2.2.0
    cpe:2.3:a:igniterealtime:smack:2.2.0
  • igniterealtime Smack 4.0.0 snapshot-2014-04-15
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-15
  • igniterealtime Smack 4.0.0 snapshot-2014-04-13
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-13
  • igniterealtime Smack 4.0.0 snapshot-2014-04-09
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-09
  • igniterealtime Smack 4.0.0 snapshot-2014-04-06
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-06
  • igniterealtime Smack 4.0.0 snapshot-2014-03-29
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-29
  • igniterealtime Smack 4.0.0 snapshot-2014-03-26
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-26
  • igniterealtime Smack 4.0.0 snapshot-2014-03-25
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-25
  • igniterealtime Smack 4.0.0 snapshot-2014-03-21
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-21
  • igniterealtime Smack 4.0.0 snapshot-2014-03-18
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-18
  • igniterealtime Smack 4.0.0 snapshot-2014-03-16
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-16
  • igniterealtime Smack 4.0.0 snapshot-2014-03-13
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-13
  • igniterealtime Smack 4.0.0 snapshot-2014-03-12
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-12
  • igniterealtime Smack 4.0.0 snapshot-2014-03-11
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-11
  • igniterealtime Smack 4.0.0 snapshot-2014-03-10
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-10
  • igniterealtime Smack 4.0.0 snapshot-2014-03-03
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-03
  • igniterealtime Smack 4.0.0 snapshot-2014-03-02
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-02
  • igniterealtime Smack 4.0.0 snapshot-2014-02-23
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-23
  • igniterealtime Smack 4.0.0 snapshot-2014-02-21
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-21
  • igniterealtime Smack 4.0.0 snapshot-2014-02-20
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-20
  • igniterealtime Smack 4.0.0 snapshot-2014-02-19
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-19
  • igniterealtime Smack 4.0.0 snapshot-2014-02-18
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-18
  • igniterealtime Smack 4.0.0 snapshot-2014-02-16
    cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-16
CVSS
Base: 5.8 (as of 13-07-2015 - 13:29)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16312.NASL
    description fix for CVE-2014-0363 (rhbz#1093274) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79931
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79931
    title Fedora 21 : smack-3.2.2-8.fc21 (2014-16312)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16383.NASL
    description fix for CVE-2014-0363 (rhbz#1093274) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79939
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79939
    title Fedora 20 : smack-3.2.2-6.fc20 (2014-16383)
redhat via4
advisories
rhsa
id RHSA-2015:1176
refmap via4
bid 67119
cert-vn VU#489228
confirm
secunia
  • 59290
  • 59291
Last major update 06-01-2017 - 21:59
Published 30-04-2014 - 06:49
Back to Top