Vulnerability in Apache Subversion

CVE-2014-3522

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle at…

EPSS: 0.026 (86.0th percentile) — read the EPSS interpretation.

Affected products

Apache Subversion — versions 1.4.0, 1.4.1, 1.4.2
Apple Xcode — versions 6.1.1
Canonical Ubuntu_linux — versions 12.04, 14.04
Opensuse — versions 12.3, 13.1
N/a — versions n/a

Weakness classification (CWE)

CWE-297 — Improper Validation of Certificate with Host Mismatch

References

59432 (x_refsource_SECUNIA, third-party-advisory)
USN-2316-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
109996 (x_refsource_OSVDB, vdb-entry)
APPLE-SA-2015-03-09-4 (vendor-advisory, x_refsource_APPLE, Mailing List, Third Party Advisory)
apache-subversion-cve20143522-spoofing(95311) (vdb-entry, x_refsource_XF)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
60100 (x_refsource_SECUNIA, third-party-advisory)
60722 (x_refsource_SECUNIA, third-party-advisory)
69237 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)