The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
CPE | Name | Operator | Version |
---|---|---|---|
qpid_proton | eq | 0.12.0 | |
qpid_proton | eq | 0.12.1 | |
qpid_proton | eq | 0.13.0 | |
qpid_proton | eq | 0.11.1 | |
qpid_proton | eq | 0.11.0 | |
qpid_proton | eq | 0.10.0 | |
qpid_proton | eq | 0.9.1 | |
qpid_proton | eq | 0.12.2 | |
qpid_proton | eq | 0.9.0 | |
qpid_proton | eq | 0.8.0 |