CVE-2016-4467

The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
VendorProductVersion
apacheqpid_proton
0.8.0
apacheqpid_proton
0.9.0
apacheqpid_proton
0.9.1
apacheqpid_proton
0.10.0
apacheqpid_proton
0.11.0
apacheqpid_proton
0.11.1
apacheqpid_proton
0.12.0
apacheqpid_proton
0.12.1
apacheqpid_proton
0.12.2
apacheqpid_proton
0.13.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qpid-proton
bullseye
0.22.0-5.1
fixed
trixie
0.37.0-2
fixed
bookworm
0.37.0-2
fixed
sid
0.37.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qpid-proton
xenial
not-affected
wily
not-affected
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2016/07/15/3
http://www.securityfocus.com/bid/91788
http://www.securitytracker.com/id/1036316
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
http://www.openwall.com/lists/oss-security/2016/07/15/3
http://www.securityfocus.com/bid/91788
http://www.securitytracker.com/id/1036316
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E