VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 34 of 36
  • CVE-2020-9321Mar 16, 2020
    risk 0.00cvss epss 0.01

    configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

  • CVE-2019-10091Mar 16, 2020
    risk 0.00cvss epss 0.01

    When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack.

  • CVE-2020-7942Feb 19, 2020
    risk 0.00cvss epss 0.01

    Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog…

  • CVE-2019-20455Feb 14, 2020
    risk 0.00cvss epss 0.01

    Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations.

  • CVE-2020-7956Jan 31, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.

  • CVE-2020-1929Jan 15, 2020
    risk 0.00cvss epss 0.01

    The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally…

  • CVE-2014-0161Jan 2, 2020
    risk 0.00cvss epss 0.00

    ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote…

  • CVE-2019-16561Dec 17, 2019
    risk 0.00cvss epss 0.01

    Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.

  • CVE-2019-16558Dec 17, 2019
    risk 0.00cvss epss 0.01

    Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM.

  • CVE-2019-14910Dec 5, 2019
    risk 0.00cvss epss 0.01

    A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

  • CVE-2014-7143Nov 12, 2019
    risk 0.00cvss epss 0.03

    Python Twisted 14.0 trustRoot is not respected in HTTP client

  • CVE-2013-2255Nov 1, 2019
    risk 0.00cvss epss 0.01

    HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

  • CVE-2010-4237Oct 29, 2019
    risk 0.00cvss epss 0.01

    Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.

  • CVE-2019-10446Oct 16, 2019
    risk 0.00cvss epss 0.01

    Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2019-10444Oct 16, 2019
    risk 0.00cvss epss 0.01

    Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disabled SSL/TLS and hostname verification for connections to HP ALM.

  • CVE-2017-18588Aug 26, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in the security-framework crate before 0.1.12 for Rust. Hostname verification for certificates does not occur if ClientBuilder uses custom root certificates.

  • CVE-2016-10931Aug 26, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for hostname verification.

  • CVE-2019-10382Aug 7, 2019
    risk 0.00cvss epss 0.01

    Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2019-10381Aug 7, 2019
    risk 0.00cvss epss 0.01

    Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

  • CVE-2019-7615Jul 30, 2019
    risk 0.00cvss epss 0.01

    A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could…