VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 29 of 36
  • CVE-2024-1052Feb 5, 2024
    risk 0.00cvss epss 0.00

    Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU)…

  • CVE-2023-51837Jan 30, 2024
    risk 0.00cvss epss 0.00

    Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.

  • CVE-2023-51662Dec 22, 2023
    risk 0.00cvss epss 0.00

    The Snowflake .NET driver provides an interface to the Microsoft .NET open source software framework for developing applications. Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List…

  • CVE-2009-4123Dec 12, 2023
    risk 0.00cvss epss 0.01

    The jruby-openssl gem before 0.6 for JRuby mishandles SSL certificate validation.

  • CVE-2023-48054Nov 16, 2023
    risk 0.00cvss epss 0.00

    Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

  • CVE-2023-48052Nov 16, 2023
    risk 0.00cvss epss 0.00

    Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

  • CVE-2023-31580Oct 24, 2023
    risk 0.00cvss epss 0.01

    light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

  • CVE-2023-2422Oct 4, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data…

  • CVE-2023-4586Oct 4, 2023
    risk 0.00cvss epss 0.00

    A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

  • CVE-2023-39441Aug 23, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. …

  • CVE-2023-38686Aug 4, 2023
    risk 0.00cvss epss 0.00

    Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack.…

  • CVE-2023-38325Jul 14, 2023
    risk 0.00cvss epss 0.01

    The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

  • CVE-2023-33201Jul 5, 2023
    risk 0.00cvss epss 0.01

    Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the…

  • CVE-2023-35142Jun 14, 2023
    risk 0.00cvss epss 0.01

    Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.

  • CVE-2023-1664May 26, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated…

  • CVE-2023-32994May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

  • CVE-2023-30517Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

  • CVE-2023-30516Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation…

  • CVE-2023-25392Apr 10, 2023
    risk 0.00cvss epss 0.00

    Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation.

  • CVE-2023-0509Jan 26, 2023
    risk 0.00cvss epss 0.01

    Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.