{"id":"PYSEC-2013-25","details":"The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.","aliases":["CVE-2013-1909","GHSA-3g2p-7c6p-vj8c"],"modified":"2024-04-29T11:41:33.240116Z","published":"2013-08-23T16:55:00Z","references":[{"type":"WEB","url":"https://issues.apache.org/jira/browse/QPID-4918"},{"type":"WEB","url":"http://qpid.apache.org/releases/qpid-0.22/release-notes.html"},{"type":"ADVISORY","url":"http://secunia.com/advisories/54137"},{"type":"ADVISORY","url":"http://secunia.com/advisories/53968"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2013-1024.html"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1460013"}],"affected":[{"package":{"name":"qpid-python","ecosystem":"PyPI","purl":"pkg:pypi/qpid-python"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.22"}]}],"versions":["0.20"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/qpid-python/PYSEC-2013-25.yaml"}}],"schema_version":"1.7.3"}