CVE-2014-3596

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Published: 2014-08-27 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-3596 is rated Moderate Risk (60/100): CVSS Medium severity, with high exploitation likelihood (EPSS 5.81%, 92th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.59% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-3596

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.21% 5.81% +4.59%
2 2025-10-21 1.36% 1.21% -0.15%
3 2025-10-17 1.36%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-3596

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 4.9 [email protected]

Weakness enumeration for CVE-2014-3596

GitHub Security Advisory for CVE-2014-3596

GHSA-r53v-vm87-f72c · Severity: medium · Ecosystem: maven — Improper Validation of Certificates in apache axis

OS Trackers for CVE-2014-3596

vendor priority summary link
debian low CVE-2014-3596 low priority: Debian including 1 source packages (axis), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-3596
redhat high https://access.redhat.com/security/cve/CVE-2014-3596
suse medium CVE-2014-3596 severity moderate: SUSE including 11 source package names (axis-1.4-11.65, axis-1.4-150200.13.6.4, …), 22 product×package rows across 20 product lines (SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Module for Basesystem 15, … (20 product lines)): Fixed 22. https://www.suse.com/security/cve/CVE-2014-3596/
ubuntu low CVE-2014-3596 low priority: Ubuntu including 1 source packages (axis), 4 status rows across 4 suites (lucid, precise, trusty, upstream): DNE 1, ignored 1, not-affected 1, released 1. https://ubuntu.com/security/CVE-2014-3596

NVD evaluator notes for CVE-2014-3596

Comment: <a href="http://cwe.mitre.org/data/definitions/297.html" target="_blank">CWE-297: Improper Validation of Certificate with Host Mismatch</a>

Affected software / configurations for CVE-2014-3596

Vendor Product Version Raw CPE
apache axis <= 1.4 cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:*:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:beta:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:rc1:*:*:*:*:*:*
apache axis 1.0 cpe:2.3:a:apache:axis:1.0:rc2:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:*:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:beta:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:rc1:*:*:*:*:*:*
apache axis 1.1 cpe:2.3:a:apache:axis:1.1:rc2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:*:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:alpha:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta1:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:beta3:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc1:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc2:*:*:*:*:*:*
apache axis 1.2 cpe:2.3:a:apache:axis:1.2:rc3:*:*:*:*:*:*
apache axis 1.2.1 cpe:2.3:a:apache:axis:1.2.1:*:*:*:*:*:*:*
apache axis 1.3 cpe:2.3:a:apache:axis:1.3:*:*:*:*:*:*:*

References for CVE-2014-3596

URL Tags
http://linux.oracle.com/errata/ELSA-2014-1193.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
http://rhn.redhat.com/errata/RHSA-2014-1193.html
http://secunia.com/advisories/61222
http://www.openwall.com/lists/oss-security/2014/08/20/2
http://www.securityfocus.com/bid/69295
http://www.securitytracker.com/id/1030745
https://exchange.xforce.ibmcloud.com/vulnerabilities/95377
https://issues.apache.org/jira/browse/AXIS-2905 Patch
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E
https://www.oracle.com/security-alerts/cpujan2020.html
cvelogic Threat Intelligence