CWE-358: Improperly Implemented Security Check for Standard - CVE-2014-0363
The implementation of ServerTrustManger in Smack API version 3.4.1, and possibly earlier versions, does not properly verify the basicConstraints and nameConstraints of a certificate within a certificate chain.
A remote unauthenticated attacker may be able to perform a man-in-the-middle attack, add roster entries or spoof IQ responses.
Apply an Update
Thanks to Ryan Sleevi for identifying the vulnerability in ServerTrustManager and Thijs Alkemade for identifying the IQ validation vulnerability and Florian Schmaus for reporting this vulnerability.
This document was written by Jared Allar.