Critical Vulnerability Information Vulnerability Overview Vulnerability Name: Potential identity spoofing via unsafe CN parsing CVE ID: CVE-2021-59134 CVSS v3 Base Metrics: - Severity: Medium (5.9/10) - Attack Vector: Network - Attack Complexity: High - Required Privileges: High - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None Affected Scope Affected Versions: < 5.0.2 Fixed Versions: 5.0.2, 5.1.0 Vulnerability Description Openfire's SASL EXTERNAL mechanism has a vulnerability when processing X.509 certificates, allowing an internal attacker to impersonate other users via certificate subject attributes. The vulnerability arises because regular expressions extract unescaped Common Names (CN) from the Distinguished Name (DN) string, which relies on provider-specific formatting. Malicious certificates can embed OIDs or other attribute values that are incorrectly interpreted as valid CNs. Impact When no explicit configuration override is set, Openfire defaults to using certificate attributes for authentication. Mapping identities via CN has been deprecated by the CA/Browser Forum’s CAB Forum compliant CAs, meaning certificates issued by public CAs are unlikely to be exploited. However, legacy certificates may still be abused. Remediation Replace usage of with the standard-compliant LDAP-style RFC2253 representation using . The fix is included in Openfire versions 5.0.2 and 5.1.0; users should upgrade as soon as possible. Mitigation Use full bypass methods (replacing JAR files) or weaker bypass methods (using only SAN mapping or disabling certificate-based authentication).