5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2014-3603

GHSA ID

GHSA-rm7v-gqfg-p2wc

EPSS Score

0.303%

CWE

CWE-297

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-3603

CVE-2014-3603: Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2014-3603

GHSA ID

GHSA-rm7v-gqfg-p2wc

EPSS Score

0.303%

CWE

CWE-297

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
edu.internet2.middleware:shibboleth-identityprovider	maven	< 2.4.1	2.4.1
org.opensaml:opensaml	maven	< 2.6.2	2.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing hostname verification in HTTP client configuration. The OpenSAML DefaultBootstrap class initializes security components and HttpClient settings. The patch added hostname verifier registration in initializeXMLSecurity(), indicating this was the missing security control. HttpClientBuilder would be responsible for creating vulnerable client instances with default insecure settings. These functions would appear in stack traces during MITM exploitation when establishing insecure HTTPS connections to fetch resources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** (*) *ttpR*sour** *n* (*) *il****k***ttpR*sour** impl*m*nt*tions in S*i**ol*t* I**ntity Provi**r (I*P) ***or* *.*.* *n* Op*nS*ML J*v* *.*.* *o not v*ri*y t**t t** s*rv*r *ostn*m* m*t***s * *om*in n*m* in t** su*j**t's *ommon N*m* (*N) or su*j**t*l

Reasoning

T** vuln*r**ility st*ms *rom missin* *ostn*m* v*ri*i**tion in *TTP *li*nt *on*i*ur*tion. T** Op*nS*ML `****ult*ootstr*p` *l*ss initi*liz*s s**urity *ompon*nts *n* `*ttp*li*nt` s*ttin*s. T** p*t** ***** *ostn*m* v*ri*i*r r**istr*tion in `initi*liz*XML

5.9

Basic Information

Concerned about an active attack path?

CVE-2014-3603: Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI