CVE-2010-3901

OpenConnect < 2.25 - Improper X.509 Certificate Validation

Title source: llm
STIX 2.1

Description

OpenConnect before 2.25 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary AnyConnect SSL VPN servers via a crafted server certificate that (1) does not correspond to the server hostname or (2) is presented in circumstances involving a missing --cafile configuration option.

References (3)

Core 3
Core References
Various Sources x_refsource_confirm
http://www.infradead.org/openconnect.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/08/01/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/08/02/7

Scores

EPSS 0.0061
EPSS Percentile 45.0%

Details

CWE
CWE-20
Status published
Products (5)
infradead/openconnect 1.00
infradead/openconnect 1.10
infradead/openconnect 1.20
infradead/openconnect 1.30
infradead/openconnect < 2.22
Published Oct 14, 2010
Tracked Since Feb 18, 2026