Vulnerability Details CVE-2013-1909
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.9%
CVSS Severity
CVSS v2 Score 5.8
References
- http://qpid.apache.org/releases/qpid-0.22/release-notes.html
- http://rhn.redhat.com/errata/RHSA-2013-1024.html
- http://secunia.com/advisories/53968
- http://secunia.com/advisories/54137
- http://svn.apache.org/viewvc?view=revision&revision=1460013
- https://issues.apache.org/jira/browse/QPID-4918
- http://qpid.apache.org/releases/qpid-0.22/release-notes.html
- http://rhn.redhat.com/errata/RHSA-2013-1024.html
- http://secunia.com/advisories/53968
- http://secunia.com/advisories/54137
- http://svn.apache.org/viewvc?view=revision&revision=1460013
- https://issues.apache.org/jira/browse/QPID-4918
Products affected by CVE-2013-1909
-
cpe:2.3:a:apache:qpid:0.10
-
cpe:2.3:a:apache:qpid:0.11
-
cpe:2.3:a:apache:qpid:0.12
-
cpe:2.3:a:apache:qpid:0.13
-
cpe:2.3:a:apache:qpid:0.14
-
cpe:2.3:a:apache:qpid:0.15
-
cpe:2.3:a:apache:qpid:0.16
-
cpe:2.3:a:apache:qpid:0.17
-
cpe:2.3:a:apache:qpid:0.18
-
cpe:2.3:a:apache:qpid:0.19
-
cpe:2.3:a:apache:qpid:0.20
-
cpe:2.3:a:apache:qpid:0.5
-
cpe:2.3:a:apache:qpid:0.6
-
cpe:2.3:a:apache:qpid:0.7
-
cpe:2.3:a:apache:qpid:0.8
-
cpe:2.3:a:apache:qpid:0.9
-
cpe:2.3:o:redhat:enterprise_mrg:2.0