Apache Qpid Proton Vulnerability: Server Hostname Verification Flaw on Windows
CVE-2016-4467

5.9MEDIUM

Key Information:

Vendor

Apache
Status
Qpid Proton
Vendor
CVE Published:
2 May 2017

What is CVE-2016-4467?

The Apache Qpid Proton library on Windows, prior to version 0.13.1, contains a significant vulnerability where the C client and C-based client bindings fail to adequately verify that the server hostname corresponds with the domain name specified in the Common Name (CN) or the subjectAltName field of the X.509 certificate. This flaw allows man-in-the-middle attackers to exploit the system by presenting an arbitrary valid certificate, thus potentially deceiving clients into connecting to malicious servers, undermining the security of data in transit.

References

http://www.securityfocus.com/bid/91788
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2016/07/15/3
mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1036316
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.