CVE-2014-3577 (Medium) detected in httpclient-4.3.3.jar

[mend-bolt-for-github[bot]]

CVE-2014-3577 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.3.3.jar

HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: Simple-Logistics/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.3/18f4247ff4572a074444572cee34647c43e7c9c7/httpclient-4.3.3.jar

Dependency Hierarchy: - forge-1.12.2-14.23.5.2854_mapped_snapshot_20171003-1.12 (Root Library) - client-1.12.2 - :x: **httpclient-4.3.3.jar** (Vulnerable Library)

Found in HEAD commit: a6187db1761e4405646643b4cd77538266015b03

Found in base branch: master

Vulnerability Details

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Publish Date: 2014-08-21

URL: CVE-2014-3577

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577

Release Date: 2014-08-21

Fix Resolution: 4.3.5,4.0.2

---

Step up your Open Source Security Game with WhiteSource here

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.80. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.