CVE-2013-1909: Apache Qpid Python client Improper certificate validation
(updated )
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
- github.com/advisories/GHSA-3g2p-7c6p-vj8c
- github.com/apache/qpid-python
- github.com/apache/qpid-python/commit/7d8f51791c4949404d78f1083f465b7b4c8e954b
- github.com/pypa/advisory-database/tree/main/vulns/qpid-python/PYSEC-2013-25.yaml
- issues.apache.org/jira/browse/QPID-4918
- nvd.nist.gov/vuln/detail/CVE-2013-1909
- web.archive.org/web/20140722191407/http://secunia.com/advisories/53968
- web.archive.org/web/20140722194233/http://secunia.com/advisories/54137
Detect and mitigate CVE-2013-1909 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →