摘要:
The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subjects Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
安全等级: Low
公告ID: KylinSec-SA-2022-1693
发布日期: 2022年7月30日
关联CVE: CVE-2016-4467
The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subjects Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2016-4467 | KY3.4-4A | qpid-proton | Unaffected |
| CVE-2016-4467 | KY3.4-5 | qpid-proton | Unaffected |
| CVE-2016-4467 | KY3.5.1 | qpid-proton | Unaffected |
