{
  "threat_severity" : "Moderate",
  "public_date" : "2014-08-05T00:00:00Z",
  "bugzilla" : {
    "description" : "smack: MitM vulnerability",
    "id" : "1127276",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1127276"
  },
  "cvss" : {
    "cvss_base_score" : "5.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:N",
    "status" : "verified"
  },
  "details" : [ "The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Fuse 6.2",
    "release_date" : "2015-06-23T00:00:00Z",
    "advisory" : "RHSA-2015:1176",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.2.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "smack",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-5075\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-5075" ],
  "name" : "CVE-2014-5075",
  "csaw" : false
}