CVE-2014-5075

Name of the Vulnerable Software and Affected Versions Ignite Realtime Smack XMPP API versions 4.x before 4.0.2 Ignite Realtime Smack XMPP API versions 3.x and 2.x when a custom SSLContext is used

Description The issue allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate because it does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate.

Recommendations For versions 4.x before 4.0.2, update to version 4.0.2 or later to resolve the issue. For versions 3.x and 2.x when a custom SSLContext is used, ensure proper verification of the server hostname against the X.509 certificate's Common Name (CN) or subjectAltName field to prevent spoofing.