CVE-2014-3603: Improper Validation of Certificate with Host Mismatch

April 4, 2019 (updated April 8, 2019)

The (1) HttpResource and (2) FileBackedHttpResource implementations in OpenSAML do not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

shibboleth.net/community/advisories/secadv_20140813.txt
bugzilla.redhat.com/CVE-2014-3603

Detect and mitigate CVE-2014-3603 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →