Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3bxq-vmjj-kqfe
Vulnerability ID VCID-3bxq-vmjj-kqfe
Aliases CVE-2014-3577
GHSA-cfh5-3ghh-wfjx
Summary org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-347 Improper Verification of Cryptographic Signature
CWE-297 Improper Validation of Certificate with Host Mismatch
System Score Found at
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
generic_textual MODERATE http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1146.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1166.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1833.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1834.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1835.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1836.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1891.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-1892.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0125.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0158.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0675.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0720.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0765.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0850.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0851.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-1176.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-1177.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-1888.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2016-1773.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2016-1931.html
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3577.json
generic_textual MODERATE https://access.redhat.com/solutions/1165533
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
epss 0.01368 https://api.first.org/data/v1/epss?cve=CVE-2014-3577
generic_textual MODERATE http://seclists.org/fulldisclosure/2014/Aug/48
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cfh5-3ghh-wfjx
generic_textual MODERATE https://github.com/advisories/GHSA-cfh5-3ghh-wfjx
generic_textual MODERATE https://github.com/apache/httpcomponents-client
generic_textual MODERATE https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122
generic_textual MODERATE https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2014-3577
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-3577
archlinux Medium https://security.archlinux.org/AVG-2448
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20231027-0003
generic_textual MODERATE https://svn.apache.org/viewvc?view=revision&revision=1614064
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2021/10/06/1
generic_textual MODERATE http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
generic_textual MODERATE http://www.ubuntu.com/usn/USN-2769-1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
http://rhn.redhat.com/errata/RHSA-2014-1146.html
http://rhn.redhat.com/errata/RHSA-2014-1166.html
http://rhn.redhat.com/errata/RHSA-2014-1833.html
http://rhn.redhat.com/errata/RHSA-2014-1834.html
http://rhn.redhat.com/errata/RHSA-2014-1835.html
http://rhn.redhat.com/errata/RHSA-2014-1836.html
http://rhn.redhat.com/errata/RHSA-2014-1891.html
http://rhn.redhat.com/errata/RHSA-2014-1892.html
http://rhn.redhat.com/errata/RHSA-2015-0125.html
http://rhn.redhat.com/errata/RHSA-2015-0158.html
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://rhn.redhat.com/errata/RHSA-2015-0850.html
http://rhn.redhat.com/errata/RHSA-2015-0851.html
http://rhn.redhat.com/errata/RHSA-2015-1176.html
http://rhn.redhat.com/errata/RHSA-2015-1177.html
http://rhn.redhat.com/errata/RHSA-2015-1888.html
http://rhn.redhat.com/errata/RHSA-2016-1773.html
http://rhn.redhat.com/errata/RHSA-2016-1931.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3577.json
https://access.redhat.com/solutions/1165533
https://api.first.org/data/v1/epss?cve=CVE-2014-3577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577
http://seclists.org/fulldisclosure/2014/Aug/48
http://secunia.com/advisories/60466
http://secunia.com/advisories/60589
http://secunia.com/advisories/60713
https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/httpcomponents-client
https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
https://security.netapp.com/advisory/ntap-20231027-0003
https://security.netapp.com/advisory/ntap-20231027-0003/
https://svn.apache.org/viewvc?view=revision&revision=1614064
http://www.openwall.com/lists/oss-security/2021/10/06/1
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.osvdb.org/110143
http://www.securityfocus.com/bid/69258
http://www.securitytracker.com/id/1030812
http://www.ubuntu.com/usn/USN-2769-1
1129074 https://bugzilla.redhat.com/show_bug.cgi?id=1129074
758086 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086
AVG-2448 https://security.archlinux.org/AVG-2448
cpe:2.3:a:apache:httpasyncclient:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:httpasyncclient:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*
CVE-2014-3577 https://nvd.nist.gov/vuln/detail/CVE-2014-3577
GHSA-cfh5-3ghh-wfjx https://github.com/advisories/GHSA-cfh5-3ghh-wfjx
RHSA-2014:1082 https://access.redhat.com/errata/RHSA-2014:1082
RHSA-2014:1146 https://access.redhat.com/errata/RHSA-2014:1146
RHSA-2014:1162 https://access.redhat.com/errata/RHSA-2014:1162
RHSA-2014:1163 https://access.redhat.com/errata/RHSA-2014:1163
RHSA-2014:1166 https://access.redhat.com/errata/RHSA-2014:1166
RHSA-2014:1320 https://access.redhat.com/errata/RHSA-2014:1320
RHSA-2014:1321 https://access.redhat.com/errata/RHSA-2014:1321
RHSA-2014:1322 https://access.redhat.com/errata/RHSA-2014:1322
RHSA-2014:1323 https://access.redhat.com/errata/RHSA-2014:1323
RHSA-2014:1833 https://access.redhat.com/errata/RHSA-2014:1833
RHSA-2014:1834 https://access.redhat.com/errata/RHSA-2014:1834
RHSA-2014:1835 https://access.redhat.com/errata/RHSA-2014:1835
RHSA-2014:1836 https://access.redhat.com/errata/RHSA-2014:1836
RHSA-2014:1891 https://access.redhat.com/errata/RHSA-2014:1891
RHSA-2014:1892 https://access.redhat.com/errata/RHSA-2014:1892
RHSA-2014:1904 https://access.redhat.com/errata/RHSA-2014:1904
RHSA-2014:2019 https://access.redhat.com/errata/RHSA-2014:2019
RHSA-2014:2020 https://access.redhat.com/errata/RHSA-2014:2020
RHSA-2015:0125 https://access.redhat.com/errata/RHSA-2015:0125
RHSA-2015:0158 https://access.redhat.com/errata/RHSA-2015:0158
RHSA-2015:0234 https://access.redhat.com/errata/RHSA-2015:0234
RHSA-2015:0235 https://access.redhat.com/errata/RHSA-2015:0235
RHSA-2015:0675 https://access.redhat.com/errata/RHSA-2015:0675
RHSA-2015:0720 https://access.redhat.com/errata/RHSA-2015:0720
RHSA-2015:0765 https://access.redhat.com/errata/RHSA-2015:0765
RHSA-2015:0850 https://access.redhat.com/errata/RHSA-2015:0850
RHSA-2015:0851 https://access.redhat.com/errata/RHSA-2015:0851
RHSA-2015:1009 https://access.redhat.com/errata/RHSA-2015:1009
RHSA-2015:1176 https://access.redhat.com/errata/RHSA-2015:1176
RHSA-2015:1177 https://access.redhat.com/errata/RHSA-2015:1177
RHSA-2015:1888 https://access.redhat.com/errata/RHSA-2015:1888
RHSA-2016:1773 https://access.redhat.com/errata/RHSA-2016:1773
RHSA-2016:1931 https://access.redhat.com/errata/RHSA-2016:1931
RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055
USN-2769-1 https://usn.ubuntu.com/2769-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3577.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2014-3577
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.80152
EPSS Score 0.01368
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:22.076668+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.0.0