CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7398 – async-http-client: missing hostname verification for SSL certificates
https://notcve.org/view.php?id=CVE-2013-7398
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitrión durante la verificación de los certificados X.509, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS a través de un certificado válido arbitrario. It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. • http://openwall.com/lists/oss-security/2014/08/26/1 http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1551.html http://www.securityfocus.com/bid/69317 https://github.com/AsyncHttpClient/async-http-client/issues/197 https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E https://l • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-5075 – smack: MitM vulnerability
https://notcve.org/view.php?id=CVE-2014-5075
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. La API Ignite Realtime Smack XMPP 4.x anterior a 4.0.2, y 3.x y 2.x cuando se utiliza un SSLContext personalizado, no verifica que el nombre del servidor coincide con un nombre de dominio en el campo de asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle suplantar los servidores SSL a través de un certificado válido arbitrario. It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control. • http://op-co.de/CVE-2014-5075.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://secunia.com/advisories/59915 http://www.securityfocus.com/bid/69064 https://access.redhat.com/security/cve/CVE-2014-5075 https://bugzilla.redhat.com/show_bug.cgi?id=1127276 • CWE-310: Cryptographic Issues •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0085 – Fuse: admin user cleartext password appears in logging
https://notcve.org/view.php?id=CVE-2014-0085
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log. JBoss Fuse no habilitaba contraseñas cifradas por defecto en su uso de Apache Zookeeper. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085 https://access.redhat.com/security/cve/CVE-2014-0085 https://bugzilla.redhat.com/show_bug.cgi?id=1067265 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2013-4372 – Console: Stored cross-site scripting (XSS)
https://notcve.org/view.php?id=CVE-2013-4372
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page. Múltiples vulnerabilidades de XSS en Fuse Management Console en Red Hat JBoss Fuse 6.0.0 anterior al parche 3 y JBoss A-MQ 6.0.0 anterior al parche 3 permite a atacantes remotos inyectar script web o HTML arbitrario a través de (1) campos de usuario en la página de creación de usuarios o (2) en la versión de perfil de la página de creación de perfiles. • http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68 http://fusesource.com/issues/browse/FMC-495 http://rhn.redhat.com/errata/RHSA-2013-1286.html http://rhn.redhat.com/errata/RHSA-2013-1862.html http://www.securityfocus.com/bid/62659 https://bugzilla.redhat.com/show_bug.cgi?id=1011736 https://github.com/jboss-fuse/fuse/commit/e280cb370323eeb759030919d5111ed809e8ded5 https://access.redhat.com/security/cve/CVE-2013-4372 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •