CVE-2014-3577

medium

Published 2014-08-21 · Modified 2024-12-03

CVSS v3

—

CVSS v2

5.8

VIR risk

5.8

Description

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3577

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-3577.html

OS impact

OS	Version	Status	Fixed in
sles		affected
arch		fixed	`2.315-1`
debian	bookworm	fixed	`3.1-11`
debian	bullseye	fixed	`3.1-11`
debian	forky	fixed	`3.1-11`
debian	sid	fixed	`3.1-11`
debian	trixie	fixed	`3.1-11`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.httpcomponents:httpclient	`<4.3.5`	`4.3.5`

Application impact

Vendor	Product	Versions	Fixed
apache	httpclient	`{"startIncluding":"4.0","endIncluding":"4.3.4"}`
apache	httpasyncclient	`{"startIncluding":"4.0","endIncluding":"4.0.1"}`

References

Verify integrity in audit chain (admin only). AS-IS.