Total
1040 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5506 | 1 Netapp | 1 Clustered Data Ontap | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Clustered Data ONTAP versions 9.0 and higher do not enforce hostname verification under certain circumstances making them susceptible to impersonation via man-in-the-middle attacks. | |||||
| CVE-2019-5280 | 1 Huawei | 2 Cloudlink Phone 7900, Cloudlink Phone 7900 Firmware | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones. | |||||
| CVE-2019-5102 | 1 Openwrt | 1 Openwrt | 2024-11-21 | 4.3 MEDIUM | 4.0 MEDIUM |
| An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. | |||||
| CVE-2019-5101 | 1 Openwrt | 1 Openwrt | 2024-11-21 | 4.3 MEDIUM | 4.0 MEDIUM |
| An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. After an SSL connection is initialized via _ustream_ssl_init, and after any data (e.g. the client's HTTP request) is written to the stream using ustream_printf, the code eventually enters the function _ustream_ssl_poll, which is used to dispatch the read/write events | |||||
| CVE-2019-4654 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-ForceID: 170965. | |||||
| CVE-2019-4264 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtain sensitive information by spoofing a trusted entity using man in the middle techniques due to not validating or incorrectly validating a certificate. IBM X-Force ID: 160072. | |||||
| CVE-2019-4150 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| IBM Security Access Manager 9.0.1 through 9.0.6 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-Force ID: 158510. | |||||
| CVE-2019-3890 | 2 Gnome, Redhat | 2 Evolution-ews, Enterprise Linux | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. | |||||
| CVE-2019-3875 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. | |||||
| CVE-2019-3841 | 1 Kubevirt | 1 Containerized Data Importer | 2024-11-21 | 4.9 MEDIUM | 7.4 HIGH |
| Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-the-middle attacks between a container registry and the virt-cdi-component, leading to possible undetected tampering of trusted container image content. | |||||
| CVE-2019-3814 | 3 Canonical, Dovecot, Opensuse | 3 Ubuntu Linux, Dovecot, Leap | 2024-11-21 | 4.9 MEDIUM | 7.7 HIGH |
| It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. | |||||
| CVE-2019-3807 | 1 Powerdns | 1 Recursor | 2024-11-21 | 6.4 MEDIUM | 3.7 LOW |
| An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. | |||||
| CVE-2019-3777 | 1 Pivotal Software | 1 Application Service | 2024-11-21 | 5.0 MEDIUM | 8.0 HIGH |
| Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller | |||||
| CVE-2019-3762 | 1 Dell | 2 Emc Data Protection Central, Emc Integrated Data Protection Appliance | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by obtaining a CA signed certificate from Data Protection Central to impersonate a valid system to compromise the integrity of data. | |||||
| CVE-2019-3751 | 1 Dell | 1 Emc Enterprise Copy Data Management | 2024-11-21 | 5.8 MEDIUM | 6.4 MEDIUM |
| Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0, 2.1, and 3.0 contain a certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | |||||
| CVE-2019-3685 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 6.8 MEDIUM | 7.4 HIGH |
| Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary | |||||
| CVE-2019-20894 | 1 Traefik | 1 Traefik | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred. | |||||
| CVE-2019-20455 | 1 Globalpayments | 1 Php Sdk | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations. | |||||
| CVE-2019-1948 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data by using an invalid Secure Sockets Layer (SSL) certificate. The vulnerability is due to insufficient SSL certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted SSL certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. | |||||
| CVE-2019-1940 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection. An attacker could exploit this vulnerability by supplying a crafted X.509 certificate during the WSMA connection setup phase. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on WSMA connections to the affected software. At the time of publication, this vulnerability affected Cisco IND Software releases prior to 1.7. | |||||