Man-in-the-Middle (MitM) Affecting com.neovisionaries:nv-websocket-client Open this link in a new tab package, versions [,2.1)


0.0
medium
  • Attack Complexity

    High

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMNEOVISIONARIES-32007

  • published

    20 Nov 2017

  • disclosed

    23 Apr 2017

  • credit

    blunden

How to fix?

Upgrade com.neovisionaries:nv-websocket-client to version 2.1 or higher.

Overview

com.neovisionaries:nv-websocket-client is a WebSocket client implementation in Java.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.