CVE-2016-4467

The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subjects Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Qpid_proton	Apache	0.8.0 (including)	0.8.0 (including)
Qpid_proton	Apache	0.9.0 (including)	0.9.0 (including)
Qpid_proton	Apache	0.9.1 (including)	0.9.1 (including)
Qpid_proton	Apache	0.10.0 (including)	0.10.0 (including)
Qpid_proton	Apache	0.11.0 (including)	0.11.0 (including)
Qpid_proton	Apache	0.11.1 (including)	0.11.1 (including)
Qpid_proton	Apache	0.12.0 (including)	0.12.0 (including)
Qpid_proton	Apache	0.12.1 (including)	0.12.1 (including)
Qpid_proton	Apache	0.12.2 (including)	0.12.2 (including)
Qpid_proton	Apache	0.13.0 (including)	0.13.0 (including)
Qpid-proton	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-4467
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

References

CVE-2016-4467

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References