Vulnerability

CVE-2014-0363

 Report advisory or correction

CVSS Score 5.8 medium

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE

CWE-295

References

https://issues.igniterealtime.org/browse/SMACK-410
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363

[CVE-2014-0363] CWE-295: Improper Certificate Validation

Description

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

See jivesoftware/smack package information