CVE-2013-1909: Apache Qpid Python client Improper certificate validation

May 13, 2022 (updated October 25, 2024)

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

github.com/advisories/GHSA-3g2p-7c6p-vj8c
github.com/apache/qpid-python
github.com/apache/qpid-python/commit/7d8f51791c4949404d78f1083f465b7b4c8e954b
github.com/pypa/advisory-database/tree/main/vulns/qpid-python/PYSEC-2013-25.yaml
issues.apache.org/jira/browse/QPID-4918
nvd.nist.gov/vuln/detail/CVE-2013-1909
web.archive.org/web/20140722191407/http://secunia.com/advisories/53968
web.archive.org/web/20140722194233/http://secunia.com/advisories/54137

Code Behaviors & Features

Detect and mitigate CVE-2013-1909 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →