CVE-2014-3504
Description
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subjects Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
2.097
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| high-performance asynchronous HTTP client library (USN-2315-1) libserf1_1.0.0-2ubuntu0.1_i386.deb | Linux |
| high-performance asynchronous HTTP client library (USN-2315-1) libserf1_1.0.0-2ubuntu0.1_amd64.deb | Linux |
| high-performance asynchronous HTTP client library (USN-2315-1) libserf-1-1_1.3.3-1ubuntu0.1_i386.deb | Linux |
| high-performance asynchronous HTTP client library (USN-2315-1) libserf-1-1_1.3.3-1ubuntu0.1_amd64.deb | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234