VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 8 of 36
  • CVE-2026-41872HigMay 12, 2026
    risk 0.48cvss 7.4epss 0.00

    "Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.

  • CVE-2026-7821HigMay 7, 2026
    risk 0.48cvss 7.4epss 0.01

    Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance…

  • CVE-2026-35560HigApr 3, 2026
    risk 0.48cvss 7.4epss 0.00

    Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to…

  • CVE-2025-11043HigJan 19, 2026
    risk 0.48cvss 7.4epss 0.00

    An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges.

  • CVE-2025-40800HigDec 9, 2025
    risk 0.48cvss 7.4epss 0.00

    A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002),…

  • CVE-2024-7383HigAug 5, 2024
    risk 0.48cvss 7.4epss 0.00

    A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

  • CVE-2018-0434HigOct 5, 2018
    risk 0.48cvss 7.4epss 0.01

    A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by…

  • CVE-2018-0650HigSep 7, 2018
    risk 0.48cvss 7.4epss 0.01

    The LINE MUSIC for Android version 3.1.0 to versions prior to 3.6.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2018-1999035HigAug 1, 2018
    risk 0.48cvss 7.4epss 0.01

    A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to.

  • CVE-2018-1999034HigAug 1, 2018
    risk 0.48cvss 7.4epss 0.01

    A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to.

  • CVE-2018-8020HigJul 31, 2018
    risk 0.48cvss 7.4epss 0.04

    Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users…

  • CVE-2018-8019HigJul 31, 2018
    risk 0.48cvss 7.4epss 0.04

    When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked…

  • CVE-2018-0622HigJul 26, 2018
    risk 0.48cvss 7.4epss 0.01

    The DHC Online Shop App for Android version 3.2.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2017-14709HigJul 12, 2018
    risk 0.48cvss 7.4epss 0.00

    The komoot GmbH "Komoot - Cycling & Hiking Maps" app before 9.3.2 -- aka komoot-cycling-hiking-maps/id447374873 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a…

  • CVE-2018-12499HigJul 2, 2018
    risk 0.48cvss 7.4epss 0.00

    The Motorola MBP853 firmware does not correctly validate server certificates. This allows for a Man in The Middle (MiTM) attack to take place between a Motorola MBP853 camera and the servers it communicates with. In one such instance, it was identified that the device was…

  • CVE-2018-1000605HigJun 26, 2018
    risk 0.48cvss 7.4epss 0.01

    A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to.

  • CVE-2018-0611HigJun 26, 2018
    risk 0.48cvss 7.4epss 0.01

    The ANA App for iOS version 4.0.22 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2018-1153HigJun 18, 2018
    risk 0.48cvss 7.4epss 0.00

    Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate the server certificate in a couple of HTTPS requests which allows a man in the middle to modify or view traffic.

  • CVE-2018-4849HigMay 3, 2018
    risk 0.48cvss 7.4epss 0.01

    A vulnerability has been identified in Siveillance VMS Video for Android (All versions < V12.1a (2018 R1)), Siveillance VMS Video for iOS (All versions < V12.1a (2018 R1)). Improper certificate validation could allow an attacker in a privileged network position to read data from…

  • CVE-2013-7201HigApr 27, 2018
    risk 0.48cvss 7.4epss 0.02

    WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.