Vulnerability Note VU#118748
POCO C++ Libraries NetSSL library fails to properly validate wildcard certificates
The POCO C++ Libraries NetSSL library fails to properly validate wildcard certificates, allowing an attacker to trick the victim application into trusting a malicious certificate.
CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action
Guenter Obiltschnig of Applied Informatics GmbH reports:
After a successful DNS spoofing attack, the attacker may be able to trick a SSL/TLS client into successfully validating a certificate from a malicious server. However, this requires that the certificate first passes the certificate chain validation.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Applied Informatics GmbH||Affected||-||17 Apr 2014|
CVSS Metrics (Learn More)
Thanks to Tuomas Siren and Alexander Berezhnoy for originally discovering the vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-0350
- Date Public: 24 Apr 2014
- Date First Published: 24 Apr 2014
- Date Last Updated: 24 Apr 2014
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.