CVE-2013-1909

CWE-20Improper Input Validation8 documents6 sources
Severity
5.8MEDIUM
EPSS
0.8%
top 25.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache QpidRedhat Enterprise MRG
Timeline
PublishedAug 23
Latest updateMay 13

Description

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages3 packages

PyPIqpid-python< 0.22
NVDapache/qpid0.20+15

Patches

Patch: svn.apache.orgPatch: issues.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

4
OSV
Apache Qpid Python client Improper certificate validation2022-05-13
GHSA
Apache Qpid Python client Improper certificate validation2022-05-13
OSV
CVE-2013-1909: The Python client in Apache Qpid before 22013-08-23
CVEList
CVE-2013-1909: The Python client in Apache Qpid before 22013-08-23

📋Vendor Advisories

1
Red Hat
python-qpid: client does not validate qpid server TLS/SSL certificate2013-06-13

💬Community

2
Bugzilla
CVE-2013-1909 python-qpid: client does not validate Certificate Authority certificates nor checks CN/SubjectAltName against remote FQDN [fedora-all]2013-06-14
Bugzilla
CVE-2013-1909 python-qpid: client does not validate qpid server TLS/SSL certificate2013-03-27
CVE-2013-1909 (MEDIUM CVSS 5.8) | The Python client in Apache Qpid be | cvebase.io