CVE-2016-4467

5.9MEDIUM

Key Information:

Vendor
Apache
Status
Qpid Proton
Vendor
CVE Published:
2 May 2017

Summary

The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

References

http://www.securityfocus.com/bid/91788
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2016/07/15/3
mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1036316
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.