CVE-2014-3522

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html	Third Party Advisory
http://secunia.com/advisories/59432
http://secunia.com/advisories/59584
http://secunia.com/advisories/60100
http://secunia.com/advisories/60722
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.osvdb.org/109996
http://www.securityfocus.com/bid/69237	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2316-1	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
https://security.gentoo.org/glsa/201610-05
https://subversion.apache.org/security/CVE-2014-3522-advisory.txt	Patch Vendor Advisory
https://support.apple.com/HT204427	Third Party Advisory
http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html	Third Party Advisory
http://secunia.com/advisories/59432
http://secunia.com/advisories/59584
http://secunia.com/advisories/60100
http://secunia.com/advisories/60722
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.osvdb.org/109996
http://www.securityfocus.com/bid/69237	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2316-1	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
https://security.gentoo.org/glsa/201610-05
https://subversion.apache.org/security/CVE-2014-3522-advisory.txt	Patch Vendor Advisory
https://support.apple.com/HT204427	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:subversion:1.4.0:::::::*
	cpe:2.3:a:apache:subversion:1.4.1:::::::*
	cpe:2.3:a:apache:subversion:1.4.2:::::::*
	cpe:2.3:a:apache:subversion:1.4.3:::::::*
	cpe:2.3:a:apache:subversion:1.4.4:::::::*
	cpe:2.3:a:apache:subversion:1.4.5:::::::*
	cpe:2.3:a:apache:subversion:1.4.6:::::::*
	cpe:2.3:a:apache:subversion:1.5.0:::::::*
	cpe:2.3:a:apache:subversion:1.5.1:::::::*
	cpe:2.3:a:apache:subversion:1.5.2:::::::*
	cpe:2.3:a:apache:subversion:1.5.3:::::::*
	cpe:2.3:a:apache:subversion:1.5.4:::::::*
	cpe:2.3:a:apache:subversion:1.5.5:::::::*
	cpe:2.3:a:apache:subversion:1.5.6:::::::*
	cpe:2.3:a:apache:subversion:1.5.7:::::::*
	cpe:2.3:a:apache:subversion:1.5.8:::::::*
	cpe:2.3:a:apache:subversion:1.6.0:::::::*
	cpe:2.3:a:apache:subversion:1.6.1:::::::*
	cpe:2.3:a:apache:subversion:1.6.2:::::::*
	cpe:2.3:a:apache:subversion:1.6.3:::::::*
	cpe:2.3:a:apache:subversion:1.6.4:::::::*
	cpe:2.3:a:apache:subversion:1.6.5:::::::*
	cpe:2.3:a:apache:subversion:1.6.6:::::::*
	cpe:2.3:a:apache:subversion:1.6.7:::::::*
	cpe:2.3:a:apache:subversion:1.6.8:::::::*
	cpe:2.3:a:apache:subversion:1.6.9:::::::*
	cpe:2.3:a:apache:subversion:1.6.10:::::::*
	cpe:2.3:a:apache:subversion:1.6.11:::::::*
	cpe:2.3:a:apache:subversion:1.6.12:::::::*
	cpe:2.3:a:apache:subversion:1.6.13:::::::*
	cpe:2.3:a:apache:subversion:1.6.14:::::::*
	cpe:2.3:a:apache:subversion:1.6.15:::::::*
	cpe:2.3:a:apache:subversion:1.6.16:::::::*
	cpe:2.3:a:apache:subversion:1.6.17:::::::*
	cpe:2.3:a:apache:subversion:1.6.18:::::::*
	cpe:2.3:a:apache:subversion:1.6.19:::::::*
	cpe:2.3:a:apache:subversion:1.6.20:::::::*
	cpe:2.3:a:apache:subversion:1.6.21:::::::*
	cpe:2.3:a:apache:subversion:1.6.23:::::::*
	cpe:2.3:a:apache:subversion:1.7.0:::::::*
	cpe:2.3:a:apache:subversion:1.7.1:::::::*
	cpe:2.3:a:apache:subversion:1.7.2:::::::*
	cpe:2.3:a:apache:subversion:1.7.3:::::::*
	cpe:2.3:a:apache:subversion:1.7.4:::::::*
	cpe:2.3:a:apache:subversion:1.7.5:::::::*
	cpe:2.3:a:apache:subversion:1.7.6:::::::*
	cpe:2.3:a:apache:subversion:1.7.7:::::::*
	cpe:2.3:a:apache:subversion:1.7.8:::::::*
	cpe:2.3:a:apache:subversion:1.7.9:::::::*
	cpe:2.3:a:apache:subversion:1.7.10:::::::*
	cpe:2.3:a:apache:subversion:1.7.11:::::::*
	cpe:2.3:a:apache:subversion:1.7.12:::::::*
	cpe:2.3:a:apache:subversion:1.7.13:::::::*
	cpe:2.3:a:apache:subversion:1.7.14:::::::*
	cpe:2.3:a:apache:subversion:1.7.15:::::::*
	cpe:2.3:a:apache:subversion:1.7.16:::::::*
	cpe:2.3:a:apache:subversion:1.7.17:::::::*
	cpe:2.3:a:apache:subversion:1.8.0:::::::*
	cpe:2.3:a:apache:subversion:1.8.1:::::::*
	cpe:2.3:a:apache:subversion:1.8.2:::::::*
	cpe:2.3:a:apache:subversion:1.8.3:::::::*
	cpe:2.3:a:apache:subversion:1.8.4:::::::*
	cpe:2.3:a:apache:subversion:1.8.5:::::::*
	cpe:2.3:a:apache:subversion:1.8.6:::::::*
cpe:2.3:a:apache:subversion:1.8.7:::::::*
cpe:2.3:a:apache:subversion:1.8.8:::::::*
cpe:2.3:a:apache:subversion:1.8.9:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration 4 (hide)

cpe:2.3:a:apple:xcode:6.1.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-08-19 18:55

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3522

Mitre link : CVE-2014-3522

CVE.ORG link : CVE-2014-3522

JSON object : View

Products Affected

opensuse

opensuse

apache

subversion

canonical

ubuntu_linux

apple

xcode

CWE

CWE-297

Improper Validation of Certificate with Host Mismatch

4.0 /10