Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2014-3596 - Medium Severity Vulnerability
Vulnerable Library - axis-1.4.jar
POM was created from deploy:deploy-file
Path to dependency file: MyTest/pom.xml
Path to vulnerable library: 20201014070535_IWZCUR/downloadResource_YKIDYI/20201014071124/axis-1.4.jar
Dependency Hierarchy: - :x: **axis-1.4.jar** (Vulnerable Library)
Found in HEAD commit: e5de90517a1184858b277fcf3eb6f530183ac30b
Vulnerability Details
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Publish Date: 2014-08-27
URL: CVE-2014-3596
CVSS 2 Score Details (5.8)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: http://xforce.iss.net/xforce/xfdb/95377
Release Date: 2017-12-31
Fix Resolution: Refer to Apache Web site for patch, upgrade or suggested workaround information. See References. For IBM products: Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References. For other distributions: Apply the appropriate update for your system.
Step up your Open Source Security Game with WhiteSource here