VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 28 of 36
  • CVE-2025-54424Aug 1, 2025
    risk 0.00cvss epss 0.01

    1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during…

  • CVE-2025-6037Aug 1, 2025
    risk 0.00cvss epss 0.00

    Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration,…

  • CVE-2025-46551May 7, 2025
    risk 0.00cvss epss 0.00

    JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL…

  • CVE-2025-27820Apr 24, 2025
    risk 0.00cvss epss 0.01

    A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

  • CVE-2024-56521Dec 27, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

  • CVE-2024-6219Dec 5, 2024
    risk 0.00cvss epss 0.00

    Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.

  • CVE-2024-6156Dec 5, 2024
    risk 0.00cvss epss 0.00

    Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.

  • CVE-2024-8285Aug 30, 2024
    risk 0.00cvss epss 0.00

    A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the…

  • CVE-2024-41264Aug 1, 2024
    risk 0.00cvss epss 0.00

    An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method.

  • CVE-2024-41256Jul 31, 2024
    risk 0.00cvss epss 0.00

    Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack.

  • CVE-2024-40464Jul 31, 2024
    risk 0.00cvss epss 0.01

    An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in beego/core/logs/smtp.go file

  • CVE-2024-41255Jul 31, 2024
    risk 0.00cvss epss 0.00

    filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

  • CVE-2024-39698Jul 9, 2024
    risk 0.00cvss epss 0.00

    electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by…

  • CVE-2024-29733Apr 21, 2024
    risk 0.00cvss epss 0.01

    Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing…

  • CVE-2024-29887Mar 27, 2024
    risk 0.00cvss epss 0.00

    Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic…

  • CVE-2024-28162Mar 6, 2024
    risk 0.00cvss epss 0.00

    In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation…

  • CVE-2024-28161Mar 6, 2024
    risk 0.00cvss epss 0.00

    In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default.

  • CVE-2024-2048Mar 4, 2024
    risk 0.00cvss epss 0.00

    Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be…

  • CVE-2024-25141Feb 20, 2024
    risk 0.00cvss epss 0.01

    When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.

  • CVE-2023-49250Feb 20, 2024
    risk 0.00cvss epss 0.01

    Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to…