Search
Total
777 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12421 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-07-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. | |||||
| CVE-2020-15720 | 1 Dogtagpki | 1 Dogtagpki | 2020-07-23 | 4.0 MEDIUM | 6.8 MEDIUM |
| In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1. | |||||
| CVE-2020-15813 | 1 Graylog | 1 Graylog | 2020-07-22 | 6.8 MEDIUM | 8.1 HIGH |
| Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a Graylog server and an LDAP server is able to redirect traffic to a different LDAP server (unnoticed by the Graylog server due to the lack of certificate validation), effectively bypassing Graylog's authentication mechanism. | |||||
| CVE-2019-17560 | 1 Apache | 1 Netbeans | 2020-07-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. | |||||
| CVE-2020-5909 | 1 F5 | 1 Nginx Controller | 2020-07-08 | 5.8 MEDIUM | 5.4 MEDIUM |
| In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. | |||||
| CVE-2020-14981 | 1 Vipre | 1 Password Vault | 2020-07-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS has Missing SSL Certificate Validation. | |||||
| CVE-2020-14980 | 1 Sophos | 1 Sophos Secure Email | 2020-07-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation. | |||||
| CVE-2020-5367 | 1 Dell | 3 Emc Unisphere For Powermax, Emc Unisphere For Powermax Virtual Appliance, Powermax Os | 2020-07-02 | 6.8 MEDIUM | 8.1 HIGH |
| Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.17, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | |||||
| CVE-2020-15047 | 1 Trojita Project | 1 Trojita | 2020-07-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| MSA/SMTP.cpp in Trojita before 0.8 ignores certificate-verification errors, which allows man-in-the-middle attackers to spoof SMTP servers. | |||||
| CVE-2017-18911 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. | |||||
| CVE-2017-18909 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | |||||
| CVE-2020-3342 | 1 Cisco | 1 Webex Meetings | 2020-06-24 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability in the software update feature of Cisco Webex Meetings Desktop App for Mac could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user. | |||||
| CVE-2017-5905 | 1 Dollar Bank | 1 Dollar Bank Mobile | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-5902 | 1 Payquicker | 1 Mypayquicker | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-3212 | 1 Sccu | 1 Space Coast Credit Union | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Space Coast Credit Union Mobile app 2.2 for iOS and 2.1.0.1104 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-18918 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. | |||||
| CVE-2016-11076 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL. | |||||
| CVE-2016-1148 | 1 Photosynth | 1 Akerun | 2020-06-23 | 4.3 MEDIUM | 8.1 HIGH |
| Akerun - Smart Lock Robot App for iOS before 1.2.4 does not verify SSL certificates. | |||||
| CVE-2020-4320 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Mq and 3 more | 2020-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD do not correctly block or allow clients based on the certificate distinguished name SSLPEER setting. IBM X-Force ID: 177403. | |||||
| CVE-2019-16252 | 1 Nutfind | 1 Nutfind | 2020-06-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| Missing SSL Certificate Validation in the Nutfind.com application through 3.9.12 for Android allows a man-in-the-middle attacker to sniff and manipulate all API requests, including login credentials and location data. | |||||
| CVE-2020-2033 | 1 Paloaltonetworks | 1 Globalprotect | 2020-06-16 | 2.9 LOW | 5.3 MEDIUM |
| When the pre-logon feature is enabled, a missing certification validation in Palo Alto Networks GlobalProtect app can disclose the pre-logon authentication cookie to a man-in-the-middle attacker on the same local area network segment with the ability to manipulate ARP or to conduct ARP spoofing attacks. This allows the attacker to access the GlobalProtect Server as allowed by configured Security rules for the 'pre-login' user. This access may be limited compared to the network access of regular users. This issue affects: GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 when the prelogon feature is enabled; GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.4 when the prelogon feature is enabled. | |||||
| CVE-2020-0119 | 1 Google | 1 Android | 2020-06-15 | 5.4 MEDIUM | 5.3 MEDIUM |
| In addOrUpdateNetworkInternal and related functions of WifiConfigManager.java, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150500247 | |||||
| CVE-2020-9040 | 1 Couchbase | 1 Couchbase Server Java Sdk | 2020-06-11 | 5.0 MEDIUM | 7.5 HIGH |
| Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname verification. | |||||
| CVE-2020-10059 | 1 Zephyrproject | 1 Zephyr | 2020-06-05 | 5.8 MEDIUM | 4.8 MEDIUM |
| The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. | |||||
| CVE-2016-10937 | 1 Imapfilter Project | 1 Imapfilter | 2020-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate. | |||||
| CVE-2020-13616 | 1 Pichi Project | 1 Pichi | 2020-05-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification. | |||||
| CVE-2020-13245 | 1 Netgear | 28 R6120, R6120 Firmware, R6220 and 25 more | 2020-05-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P. | |||||
| CVE-2020-13615 | 1 Qore | 1 Qore | 2020-05-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification for X.509 certificates. | |||||
| CVE-2020-1113 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2020-05-27 | 9.3 HIGH | 7.5 HIGH |
| A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'. | |||||
| CVE-2020-1758 | 1 Redhat | 2 Keycloak, Openstack | 2020-05-19 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. | |||||
| CVE-2010-4685 | 1 Cisco | 1 Ios | 2020-05-19 | 4.0 MEDIUM | N/A |
| Cisco IOS before 15.0(1)XA1 does not clear the public key cache upon a change to a certificate map, which allows remote authenticated users to bypass a certificate ban by connecting with a banned certificate that had previously been valid, aka Bug ID CSCta79031. | |||||
| CVE-2020-12637 | 1 Zulipchat | 1 Zulip Desktop | 2020-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option. | |||||
| CVE-2020-12143 | 1 Silver-peak | 44 Nx-1000, Nx-1000 Firmware, Nx-10k and 41 more | 2020-05-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator. | |||||
| CVE-2020-12144 | 1 Silver-peak | 44 Nx-1000, Nx-1000 Firmware, Nx-10k and 41 more | 2020-05-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. This makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted portal. | |||||
| CVE-2020-2187 | 1 Jenkins | 1 Amazon Ec2 | 2020-05-11 | 6.8 MEDIUM | 5.6 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | |||||
| CVE-2011-2874 | 1 Google | 1 Chrome | 2020-05-08 | 6.8 MEDIUM | N/A |
| Google Chrome before 14.0.835.163 does not perform an expected pin operation for a self-signed certificate during a session, which has unspecified impact and remote attack vectors. | |||||
| CVE-2020-1952 | 1 Apache | 1 Iotdb | 2020-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely. | |||||
| CVE-2020-11806 | 1 Mailstore | 1 Mailstore Server | 2020-05-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through 12.1.2, the login process does not validate the validity of the certificate presented by the server. | |||||
| CVE-2020-5864 | 1 F5 | 1 Nginx Controller | 2020-04-30 | 5.8 MEDIUM | 7.4 HIGH |
| In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. | |||||
| CVE-2020-11792 | 1 Netgear | 8 R8900, R8900 Firmware, R9000 and 5 more | 2020-04-21 | 5.0 MEDIUM | 7.5 HIGH |
| NETGEAR R8900, R9000, RAX120, and XR700 devices before 2020-01-20 are affected by Transport Layer Security (TLS) certificate private key disclosure. | |||||
| CVE-2019-4654 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2020-04-20 | 5.8 MEDIUM | 4.8 MEDIUM |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-ForceID: 170965. | |||||
| CVE-2011-3024 | 1 Google | 1 Chrome | 2020-04-16 | 4.3 MEDIUM | N/A |
| Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service (application crash) via an empty X.509 certificate. | |||||
| CVE-2019-1010206 | 1 Http Request Project | 1 Http Request | 2020-04-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| OSS Http Request (Apache Cordova Plugin) 6 is affected by: Missing SSL certificate validation. The impact is: certificate spoofing. The component is: use this library when https communication. The attack vector is: certificate spoofing. | |||||
| CVE-2011-3061 | 1 Google | 1 Chrome | 2020-04-14 | 5.8 MEDIUM | N/A |
| Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate. | |||||
| CVE-2018-11751 | 1 Puppet | 1 Puppet Server | 2020-04-07 | 4.8 MEDIUM | 5.4 MEDIUM |
| Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0. | |||||
| CVE-2019-3762 | 1 Dell | 2 Emc Data Protection Central, Emc Integrated Data Protection Appliance | 2020-03-27 | 5.0 MEDIUM | 7.5 HIGH |
| Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by obtaining a CA signed certificate from Data Protection Central to impersonate a valid system to compromise the integrity of data. | |||||
| CVE-2019-11688 | 1 Asustor | 1 Exfat Driver | 2020-03-24 | 8.8 HIGH | 7.4 HIGH |
| An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl accept any certificate for asustornasapi.asustor.com. In other words, there is Missing SSL Certificate Validation. | |||||
| CVE-2020-10659 | 2 Entrustdatacard, Microsoft | 2 Entelligence Security Provider, Windows | 2020-03-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site that has an invalid certificate chain. | |||||
| CVE-2020-6175 | 1 Citrix | 2 Citrix Sd-wan Center, Netscaler Sd-wan Center | 2020-03-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missing SSL Certificate Validation. | |||||
| CVE-2020-1887 | 1 Linuxfoundation | 1 Osquery | 2020-03-18 | 5.8 MEDIUM | 9.1 CRITICAL |
| Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to MITM osquery traffic in the absence of a configured root chain of trust. | |||||