Search
Total
777 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-1096 | 2 Debian, Gnome | 2 Debian Linux, Networkmanager | 2020-03-10 | 4.9 MEDIUM | 5.5 MEDIUM |
| NetworkManager 0.9 and earlier allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection. | |||||
| CVE-2020-8987 | 1 Avast | 2 Antitrack, Avg Antitrack | 2020-03-10 | 5.8 MEDIUM | 7.4 HIGH |
| Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.) | |||||
| CVE-2020-3155 | 1 Cisco | 11 Intelligence Proximity, Jabber, Meeting and 8 more | 2020-03-05 | 5.8 MEDIUM | 7.4 HIGH |
| A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device or a Cisco collaboration endpoint. An attacker could exploit this vulnerability by using man in the middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint. Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls. This vulnerability does not affect cloud registered collaboration endpoints. | |||||
| CVE-2020-9432 | 1 Lua-openssl Project | 1 Lua-openssl | 2020-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | |||||
| CVE-2020-9433 | 1 Lua-openssl Project | 1 Lua-openssl | 2020-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | |||||
| CVE-2020-9434 | 1 Lua-openssl Project | 1 Lua-openssl | 2020-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | |||||
| CVE-2016-1000033 | 2 Gnome, Redhat | 2 Shotwell, Enterprise Linux | 2020-02-24 | 4.3 MEDIUM | 3.7 LOW |
| Shotwell version 0.22.0 (and possibly other versions) is vulnerable to a TLS/SSL certification validation flaw resulting in a potential for man in the middle attacks. | |||||
| CVE-2019-3751 | 1 Dell | 1 Emc Enterprise Copy Data Management | 2020-02-10 | 5.8 MEDIUM | 7.4 HIGH |
| Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0, 2.1, and 3.0 contain a certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | |||||
| CVE-2018-5926 | 1 Hp | 1 Remote Graphics Software | 2020-02-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier. | |||||
| CVE-2020-5526 | 1 Fujixerox | 1 Apeosware Management Suite | 2020-02-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| The AWMS Mobile App for Android 2.0.0 to 2.0.5 and for iOS 2.0.0 to 2.0.8 does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-3230 | 1 Lwp\ | 1 \ | 2020-02-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. | |||||
| CVE-2017-14806 | 1 Suse | 2 Studio Onsite, Susestudio-ui-server | 2020-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| A Improper Certificate Validation vulnerability in susestudio-common of SUSE Studio onsite allows remote attackers to MITM connections to the repositories, which allows the modification of packages received over these connections. This issue affects: SUSE Studio onsite susestudio-common version 1.3.17-56.6.3 and prior versions. | |||||
| CVE-2020-7956 | 1 Hashicorp | 1 Nomad | 2020-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. | |||||
| CVE-2018-8019 | 2 Apache, Debian | 2 Tomcat Native, Debian Linux | 2020-02-03 | 4.3 MEDIUM | 7.4 HIGH |
| When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. | |||||
| CVE-2020-7904 | 1 Jetbrains | 1 Intellij Idea | 2020-02-01 | 5.8 MEDIUM | 7.4 HIGH |
| In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. | |||||
| CVE-2020-5523 | 9 77bank, Ashikagabank, Hokkaidobank and 6 more | 9 77 Bank, Ashigin, Dogin and 6 more | 2020-01-31 | 5.8 MEDIUM | 7.4 HIGH |
| Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2006-7246 | 3 Gnome, Opensuse, Suse | 4 Networkmanager, Opensuse, Linux Enterprise Desktop and 1 more | 2020-01-31 | 3.2 LOW | 6.8 MEDIUM |
| NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used. | |||||
| CVE-2015-0294 | 3 Debian, Gnu, Redhat | 3 Debian Linux, Gnutls, Enterprise Linux | 2020-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate. | |||||
| CVE-2020-5522 | 1 Fujixerox | 1 Easy Netprint | 2020-01-28 | 5.8 MEDIUM | 7.4 HIGH |
| The kantan netprint App for Android 2.0.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2020-5521 | 1 Fujixerox | 1 Easy Netprint | 2020-01-28 | 5.8 MEDIUM | 7.4 HIGH |
| The kantan netprint App for iOS 2.0.2 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2020-5520 | 1 Fujixerox | 1 Netprint | 2020-01-28 | 5.8 MEDIUM | 7.4 HIGH |
| The netprint App for iOS 3.2.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2020-3940 | 1 Vmware | 9 Workspace One Boxer, Workspace One Content, Workspace One Intelligent Hub and 6 more | 2020-01-27 | 4.3 MEDIUM | 5.9 MEDIUM |
| VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability. | |||||
| CVE-2020-1929 | 1 Apache | 1 Beam | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM. | |||||
| CVE-2011-2669 | 1 Mozilla | 1 Firefox | 2020-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue in the validation of certificates. | |||||
| CVE-2012-1316 | 1 Cisco | 1 Ironport Web Security Appliance | 2020-01-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks | |||||
| CVE-2020-0601 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-01-16 | 5.8 MEDIUM | 8.1 HIGH |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
| CVE-2019-19270 | 2 Fedoraproject, Proftpd | 2 Fedora, Proftpd | 2020-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | |||||
| CVE-2019-6032 | 1 Ntv | 1 News 24 | 2020-01-10 | 5.8 MEDIUM | 7.4 HIGH |
| The NTV News24 prior to Ver.3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-7322 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 6.8 MEDIUM | 8.1 HIGH |
| The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate. | |||||
| CVE-2013-0264 | 1 Redhat | 1 Mrg Management Console | 2020-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| An import error was introduced in Cumin in the code refactoring in r5310. Server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it. | |||||
| CVE-2014-0104 | 1 Clusterlabs | 1 Fence-agents | 2020-01-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. | |||||
| CVE-2014-0161 | 1 Ovirt-engine-sdk-python Project | 1 Ovirt-engine-sdk-python | 2020-01-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate. | |||||
| CVE-2019-16558 | 1 Jenkins | 1 Spira Importer | 2020-01-03 | 6.4 MEDIUM | 8.2 HIGH |
| Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. | |||||
| CVE-2019-18826 | 1 Barco | 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more | 2019-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Barco ClickShare Button R9861500D01 devices before 1.9.0 have Improper Following of a Certificate's Chain of Trust. The embedded 'dongle_bridge' program used to expose the functionalities of the ClickShare Button to a USB host, does not properly validate the whole certificate chain. | |||||
| CVE-2014-3495 | 2 Debian, Opensuse | 3 Debian Linux, Duplicity, Opensuse | 2019-12-19 | 5.0 MEDIUM | 7.5 HIGH |
| duplicity 0.6.24 has improper verification of SSL certificates | |||||
| CVE-2019-16561 | 1 Jenkins | 1 Websphere Deployer | 2019-12-18 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM. | |||||
| CVE-2011-2207 | 3 Debian, Gnupg, Redhat | 3 Debian Linux, Gnupg, Enterprise Linux | 2019-12-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate. | |||||
| CVE-2019-19271 | 1 Proftpd | 1 Proftpd | 2019-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | |||||
| CVE-2014-2845 | 2 Cyberduck, Microsoft | 2 Cyberduck, Windows | 2019-12-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cyberduck before 4.4.4 on Windows does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof FTP-SSL servers via a certificate issued by an arbitrary root Certification Authority. | |||||
| CVE-2019-11554 | 1 Amazon | 1 Audible | 2019-12-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation for Adobe SDKs, allowing MITM attackers to cause a denial of service. | |||||
| CVE-2012-5518 | 1 Ovirt | 1 Vdsm | 2019-12-09 | 4.3 MEDIUM | 7.5 HIGH |
| vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate) | |||||
| CVE-2014-2902 | 1 Wolfssl | 1 Wolfssl | 2019-12-04 | 5.0 MEDIUM | 7.5 HIGH |
| wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates. | |||||
| CVE-2014-2901 | 1 Wolfssl | 1 Wolfssl | 2019-12-04 | 5.0 MEDIUM | 7.5 HIGH |
| wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. | |||||
| CVE-2012-6071 | 2 Debian, Nusoap Project | 2 Debian Linux, Nusoap | 2019-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| nuSOAP before 0.7.3-5 does not properly check the hostname of a cert. | |||||
| CVE-2010-4533 | 2 Debian, Offlineimap | 2 Debian Linux, Offlineimap | 2019-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies. | |||||
| CVE-2014-8167 | 1 Redhat | 3 Enterprise Virtualization, Vdsclient, Virtual Desktop Server Manager | 2019-11-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack | |||||
| CVE-2010-4532 | 2 Debian, Offlineimap | 2 Debian Linux, Offlineimap | 2019-11-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks. | |||||
| CVE-2014-7143 | 1 Twistedmatrix | 1 Twisted | 2019-11-14 | 5.0 MEDIUM | 7.5 HIGH |
| Python Twisted 14.0 trustRoot is not respected in HTTP client | |||||
| CVE-2009-3552 | 1 Redhat | 1 Enterprise Virtualization Manager | 2019-11-12 | 2.9 LOW | 3.1 LOW |
| In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform. | |||||
| CVE-2019-16209 | 1 Broadcom | 1 Brocade Sannav | 2019-11-09 | 5.8 MEDIUM | 7.4 HIGH |
| A vulnerability, in The ReportsTrustManager class of Brocade SANnav versions before v2.0, could allow an attacker to perform a man-in-the-middle attack against Secure Sockets Layer(SSL)connections. | |||||