CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2016-10027
https://notcve.org/view.php?id=CVE-2016-10027
12 Jan 2017 — Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response. Condición de carrera en la librería XMPP en Smack en versiones anteriores a 4.1.9, cuando se ha establecido la configuración TLS SecurityMode.required, permite a atacantes man-in-the-middle eludir las protecciones TLS y d... • http://www.openwall.com/lists/oss-security/2016/12/22/12 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0363 – smack: incorrect X.509 certificate validation
https://notcve.org/view.php?id=CVE-2014-0363
30 Apr 2014 — The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. El componente ServerTrustManager en la API Ignite Realtime Smack XMPP anterior a 4.0.0-rc1 no verifica las extensiones basicConstraints y nameConstraints en cadenas de certificados X.509 de servidores ... • http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0364 – smack: IQ response spoofing
https://notcve.org/view.php?id=CVE-2014-0364
30 Apr 2014 — The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. El componente ParseRoster en la API Ignite Realtime Smack XMPP anterior a 4.0.0-rc1 no verifica el atributo from de la cadena roster-query IQ, lo que permite a atacantes remotos falsificar respuestas IQ a través de un atributo manipulado. It was found that the ParseRoster component in the ... • http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released • CWE-345: Insufficient Verification of Data Authenticity •