CVE-2013-1909

2013-08-2316:55:00

CWE-20

[email protected]

web.nvd.nist.gov

apache qpid

python client

cve-2013-1909

ssl

x.509

security

certificate validation

man-in-the-middle

nvd

6.5 Medium

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

31.1%

JSON

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CPENameOperatorVersion
redhat:enterprise_mrgredhat enterprise mrgeq2.0
apache:qpidapache qpideq0.14
apache:qpidapache qpideq0.7
apache:qpidapache qpideq0.15
apache:qpidapache qpideq0.10
apache:qpidapache qpideq0.17
apache:qpidapache qpidle0.20
apache:qpidapache qpideq0.9
apache:qpidapache qpideq0.13
apache:qpidapache qpideq0.6

CPE	Name	Operator	Version
redhat:enterprise_mrg	redhat enterprise mrg	eq	2.0
apache:qpid	apache qpid	eq	0.14
apache:qpid	apache qpid	eq	0.7
apache:qpid	apache qpid	eq	0.15
apache:qpid	apache qpid	eq	0.10
apache:qpid	apache qpid	eq	0.17
apache:qpid	apache qpid	le	0.20
apache:qpid	apache qpid	eq	0.9
apache:qpid	apache qpid	eq	0.13
apache:qpid	apache qpid	eq	0.6