VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 15 of 36
  • CVE-2014-3607MedJan 8, 2018
    risk 0.38cvss 5.9epss 0.01

    DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid…

  • CVE-2017-17718MedDec 17, 2017
    risk 0.38cvss 5.9epss 0.01

    The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

  • CVE-2017-17716MedDec 17, 2017
    risk 0.38cvss 5.9epss 0.01

    GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the…

  • CVE-2017-1000209MedNov 17, 2017
    risk 0.38cvss 5.9epss 0.01

    The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary…

  • CVE-2014-2845MedNov 15, 2017
    risk 0.38cvss 5.9epss 0.01

    Cyberduck before 4.4.4 on Windows does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof FTP-SSL servers via a certificate issued by an arbitrary root Certification Authority.

  • CVE-2017-2913MedNov 7, 2017
    risk 0.38cvss 5.9epss 0.01

    An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to…

  • CVE-2014-7242MedOct 18, 2017
    risk 0.38cvss 5.9epss 0.01

    The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify…

  • CVE-2014-3706MedOct 18, 2017
    risk 0.38cvss 5.9epss 0.01

    ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.

  • CVE-2015-6358MedOct 12, 2017
    risk 0.38cvss 5.9epss 0.01

    Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys…

  • CVE-2015-7778MedOct 10, 2017
    risk 0.38cvss 5.9epss 0.01

    Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks.

  • CVE-2017-12228MedSep 29, 2017
    risk 0.38cvss 5.9epss 0.01

    A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 12.4 through 15.6 and Cisco IOS XE 3.3 through 16.4 could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due…

  • CVE-2015-0874MedSep 26, 2017
    risk 0.38cvss 5.9epss 0.01

    Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information from encrypted communications via a crafted certificate.

  • CVE-2015-7785MedSep 25, 2017
    risk 0.38cvss 5.9epss 0.01

    GANMA! App for iOS does not verify SSL certificates.

  • CVE-2015-5666MedSep 25, 2017
    risk 0.38cvss 5.9epss 0.01

    ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and earlier does not verify SSL certificates.

  • CVE-2016-10511MedSep 18, 2017
    risk 0.38cvss 5.9epss 0.01

    The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable…

  • CVE-2017-14420MedSep 13, 2017
    risk 0.38cvss 5.9epss 0.01

    The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and…

  • CVE-2017-14419MedSep 13, 2017
    risk 0.38cvss 5.9epss 0.01

    The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, participates in mydlink Cloud Services by establishing a TCP relay service for HTTP, even though a TCP relay service…

  • CVE-2015-2943MedSep 6, 2017
    risk 0.38cvss 5.9epss 0.01

    Honda Moto LINC 1.6.1 does not verify SSL certificates.

  • CVE-2015-0210MedAug 28, 2017
    risk 0.38cvss 5.9epss 0.01

    wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack.

  • CVE-2015-2674MedAug 9, 2017
    risk 0.38cvss 5.9epss 0.01

    Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.