Total
1004 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-25140 | 2 Microsoft, Rustdesk | 2 Windows, Rustdesk | 2024-08-29 | N/A | 9.8 CRITICAL |
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This is potentially unwanted, e.g., because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. NOTE: the vendor's position is "we do not have EV cert, so we use test cert as a workaround." Insertion into Trusted Root Certification Authorities was the originally intended behavior, and the UI ensured that the certificate installation step (checked by default) was visible to the user before proceeding with the product installation. | |||||
CVE-2024-41996 | 2024-08-26 | N/A | 7.5 HIGH | ||
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key. | |||||
CVE-2023-50314 | 1 Ibm | 1 Websphere Application Server | 2024-08-23 | N/A | 7.5 HIGH |
IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713. | |||||
CVE-2024-37311 | 2024-08-23 | N/A | 8.2 HIGH | ||
Collabora Online is a collaborative online office suite based on LibreOffice. In affected versions of Collabora Online, https connections from coolwsd to other hosts may incompletely verify the remote host's certificate's against the full chain of trust. This vulnerability is fixed in Collabora Online 24.04.4.3, 23.05.14.1, and 22.05.23.1. | |||||
CVE-2024-37865 | 1 S3browser | 1 S3 Browser | 2024-08-19 | N/A | 5.9 MEDIUM |
An issue in S3Browser v.11.4.5 and v.10.9.9 and fixed in v.11.5.7 allows a remote attacker to obtain sensitive information via the S3 compatible storage component. | |||||
CVE-2024-41264 | 1 Casbin | 1 Casdoor | 2024-08-16 | N/A | 7.5 HIGH |
An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method. | |||||
CVE-2024-28021 | 1 Hitachienergy | 3 Foxman-un, Foxman Un, Unem | 2024-08-15 | N/A | 7.4 HIGH |
A vulnerability exists in the FOXMAN-UN/UNEM server that affects the message queueing mechanism’s certificate validation. If exploited an attacker could spoof a trusted entity causing a loss of confidentiality and integrity. | |||||
CVE-2024-25141 | 2024-08-15 | N/A | 9.1 CRITICAL | ||
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue. | |||||
CVE-2024-41256 | 1 Filestash | 1 Filestash | 2024-08-15 | N/A | 5.9 MEDIUM |
Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack. | |||||
CVE-2024-40464 | 1 Beego | 1 Beego | 2024-08-15 | N/A | 8.8 HIGH |
An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in beego/core/logs/smtp.go file | |||||
CVE-2023-48052 | 1 Httpie | 1 Httpie | 2024-08-14 | N/A | 7.4 HIGH |
Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | |||||
CVE-2022-32509 | 2024-08-14 | N/A | 8.8 HIGH | ||
An issue was discovered on certain Nuki Home Solutions devices. Lack of certificate validation on HTTP communications allows attackers to intercept and tamper data. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Bridge v1 before 1.22.0 and Nuki Bridge v2 before 2.13.2. | |||||
CVE-2024-42395 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-08-12 | N/A | 9.8 CRITICAL |
There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | |||||
CVE-2024-5445 | 2024-08-12 | N/A | 3.8 LOW | ||
Ecosystem Agent version 4 < 4.5.1.2597 and Ecosystem Agent version 5 < 5.1.4.2473 did not properly validate SSL/TLS certificates, which could allow a malicious actor to perform a Man-in-the-Middle and intercept traffic between the agent and N-able servers from a privileged network position. | |||||
CVE-2024-32865 | 1 Johnsoncontrols | 1 Exacqvision Server | 2024-08-09 | N/A | 7.3 HIGH |
Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. | |||||
CVE-2022-31105 | 2 Argoproj, Linuxfoundation | 2 Argo Cd, Argo-cd | 2024-08-07 | 5.1 MEDIUM | 9.6 CRITICAL |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls. | |||||
CVE-2024-6472 | 2024-08-06 | N/A | 7.8 HIGH | ||
Certificate Validation user interface in LibreOffice allows potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed. Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway. This issue affects LibreOffice: from 24.2 before 24.2.5. | |||||
CVE-2024-27440 | 2024-08-05 | N/A | 4.8 MEDIUM | ||
The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2018-21029 | 2 Fedoraproject, Systemd Project | 2 Fedora, Systemd | 2024-08-05 | 7.5 HIGH | 9.8 CRITICAL |
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) | |||||
CVE-2018-20200 | 1 Squareup | 1 Okhttp | 2024-08-05 | 4.3 MEDIUM | 5.9 MEDIUM |
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 |