CVE-2017-1000209

MEDIUM

nv-websocket-client - Man-in-the-Middle

Title source: llm

Description

The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.

Exploits (2)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2017-1000209-nv-websocket-client-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2017-1000209-nv-websocket-client-vulnerable

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://github.com/TakahikoKawasaki/nv-websocket-client/pull/107

Scores

CVSS v3 5.9

EPSS 0.0012

EPSS Percentile 31.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-295

Status published

Products (2)

com.neovisionaries/nv-websocket-client 0 - 2.1Maven

nv-websocket-client_project/nv-websocket-client < 2.2

Published Nov 17, 2017

Tracked Since Feb 18, 2026