CVE-2014-3577
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.8
Description
Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 2.315-1 |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 3.1-11 |
| sid | Fixed | 3.1-11 |
| forky | Fixed | 3.1-11 |
| bullseye | Fixed | 3.1-11 |
| bookworm | Fixed | 3.1-11 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.httpcomponents:httpclient | <4.3.5 | 4.3.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | httpclient | {"startIncluding":"4.0","endIncluding":"4.3.4"} | |
| apache | httpasyncclient | {"startIncluding":"4.0","endIncluding":"4.0.1"} | |
References
- https://www.suse.com/security/cve/CVE-2014-3577.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
- http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
- http://rhn.redhat.com/errata/RHSA-2014-1146.html
- http://rhn.redhat.com/errata/RHSA-2014-1166.html
- http://rhn.redhat.com/errata/RHSA-2014-1833.html
- http://rhn.redhat.com/errata/RHSA-2014-1834.html
- http://rhn.redhat.com/errata/RHSA-2014-1835.html
- http://rhn.redhat.com/errata/RHSA-2014-1836.html
- http://rhn.redhat.com/errata/RHSA-2014-1891.html
- http://rhn.redhat.com/errata/RHSA-2014-1892.html
- http://rhn.redhat.com/errata/RHSA-2015-0125.html
- http://rhn.redhat.com/errata/RHSA-2015-0158.html
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- http://rhn.redhat.com/errata/RHSA-2015-1888.html
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
- http://rhn.redhat.com/errata/RHSA-2016-1931.html
- http://seclists.org/fulldisclosure/2014/Aug/48
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.