Lucene search

GitHub Advisory DatabaseGHSA-3G2P-7C6P-VJ8C

HistoryMay 13, 2022 - 1:08 a.m.

Apache Qpid Python client Improper certificate validation

2022-05-1301:08:41

CWE-20

GitHub Advisory Database

github.com

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.4%

JSON

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected configurations

Vulners

Node

qpidpythonRange<0.22

CPENameOperatorVersion
qpid-pythonlt0.22

CPE	Name	Operator	Version
	qpid-python	lt	0.22

References

qpid.apache.org/releases/qpid-0.22/release-notes.html

rhn.redhat.com/errata/RHSA-2013-1024.html

svn.apache.org/viewvc?view=revision&revision=1460013

github.com/advisories/GHSA-3g2p-7c6p-vj8c

github.com/apache/qpid-python/commit/7d8f51791c4949404d78f1083f465b7b4c8e954b

issues.apache.org/jira/browse/QPID-4918

nvd.nist.gov/vuln/detail/CVE-2013-1909

web.archive.org/web/20140722191407/secunia.com/advisories/53968

web.archive.org/web/20140722194233/secunia.com/advisories/54137

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.4%

JSON

Related for GHSA-3G2P-7C6P-VJ8C