Man-in-the-Middle (MitM) Affecting org.igniterealtime.smack:smack package, versions [3.1.0,3.2.1)

Threat Intelligence

0.07% (33^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGIGNITEREALTIMESMACK-31185
published 11 Feb 2015
disclosed 25 Oct 2014
credit Georg Lukas

Report a new vulnerability Found a mistake?

Introduced: 25 Oct 2014

CVE-2014-5075 Open this link in a new tab CWE-300 Open this link in a new tab

Overview

org.igniterealtime.smack:smack The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

NVD
op-co

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

Low