The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 01:50
Type | Values Removed | Values Added |
---|---|---|
References | () http://qpid.apache.org/releases/qpid-0.22/release-notes.html - | |
References | () http://rhn.redhat.com/errata/RHSA-2013-1024.html - | |
References | () http://secunia.com/advisories/53968 - Vendor Advisory | |
References | () http://secunia.com/advisories/54137 - Vendor Advisory | |
References | () http://svn.apache.org/viewvc?view=revision&revision=1460013 - Patch | |
References | () https://issues.apache.org/jira/browse/QPID-4918 - Patch |
Information
Published : 2013-08-23 16:55
Updated : 2024-11-21 01:50
NVD link : CVE-2013-1909
Mitre link : CVE-2013-1909
CVE.ORG link : CVE-2013-1909
JSON object : View
Products Affected
apache
- qpid
redhat
- enterprise_mrg
CWE
CWE-20
Improper Input Validation