Total
1005 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-7919 | 4 Debian, Fedoraproject, Golang and 1 more | 4 Debian Linux, Fedora, Go and 1 more | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | |||||
CVE-2020-1113 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-02-28 | 9.3 HIGH | 7.5 HIGH |
A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'. | |||||
CVE-2020-11806 | 1 Mailstore | 1 Mailstore Server | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through 12.1.2, the login process does not validate the validity of the certificate presented by the server. | |||||
CVE-2020-15047 | 1 Trojita Project | 1 Trojita | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
MSA/SMTP.cpp in Trojita before 0.8 ignores certificate-verification errors, which allows man-in-the-middle attackers to spoof SMTP servers. | |||||
CVE-2020-13482 | 2 Em-http-request Project, Fedoraproject | 2 Em-http-request, Fedora | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified. | |||||
CVE-2020-14980 | 1 Sophos | 1 Sophos Secure Email | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation. | |||||
CVE-2019-10091 | 1 Apache | 1 Geode | 2024-02-28 | 4.0 MEDIUM | 7.4 HIGH |
When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack. | |||||
CVE-2020-17366 | 1 Nlnetlabs | 1 Routinator | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate Revocation List files from the RPKI relying party's view. | |||||
CVE-2020-8172 | 2 Nodejs, Oracle | 5 Node.js, Banking Extensibility Workbench, Blockchain Platform and 2 more | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | |||||
CVE-2020-11050 | 1 Java-websocket Project | 1 Java-websocket | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0. | |||||
CVE-2020-5913 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
In versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, the BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a man-in-the-middle attack on the connections. | |||||
CVE-2020-6529 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. | |||||
CVE-2020-12637 | 1 Zulipchat | 1 Zulip Desktop | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option. | |||||
CVE-2020-25276 | 1 Primekey | 1 Ejbca | 2024-02-28 | 6.8 MEDIUM | 7.3 HIGH |
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.) | |||||
CVE-2020-13616 | 1 Pichi Project | 1 Pichi | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification. | |||||
CVE-2019-12000 | 1 Hp | 1 Mse Msg Gw Application E-ltu | 2024-02-28 | 5.4 MEDIUM | 6.6 MEDIUM |
HPE has found a potential Remote Access Restriction Bypass in HPE MSE Msg Gw application E-LTU prior to version 3.2 when HTTPS is used between the USSD and an external USSD service logic application. Update to version 3.2 and update the HTTPS configuration as described in the HPE MSE Messaging Gateway Configuration and Operations Guide. | |||||
CVE-2020-10059 | 1 Zephyrproject | 1 Zephyr | 2024-02-28 | 5.8 MEDIUM | 4.8 MEDIUM |
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. | |||||
CVE-2019-19101 | 1 Br-automation | 1 Automation Studio | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server. | |||||
CVE-2019-4654 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-02-28 | 5.8 MEDIUM | 4.8 MEDIUM |
IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-ForceID: 170965. | |||||
CVE-2020-9040 | 1 Couchbase | 1 Couchbase Server Java Sdk | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname verification. |