Affects Version/s: 3.2.11, 4.0.6
Security Advisory - Apache Software Foundation
Apache HttpComponents / hc.apache.org
Hostname verification susceptible to MITM attack
CVE-2014-3577 / CVSS 1.4
Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible
to a 'Man in the Middle Attack' due to a flaw in the default hostname
verification during SSL/TLS when a specially crafted server side
certificate is used.
During an SSL connection (https) the client verifies the hostname in
the URL against the hostname as encoded in the servers certificate (CN,
subjectAlt fields). This is to ensure that the client connects to the
'real' server, as opposed to something in middle (man in the middle)
that may compromise end to end confidentiality and integrity.