Total
1007 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11550 | 1 Citrix | 2 Netscaler Sd-wan, Sd-wan | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| Citrix SD-WAN 10.2.x before 10.2.1 and NetScaler SD-WAN 10.0.x before 10.0.7 have Improper Certificate Validation. | |||||
| CVE-2019-1552 | 1 Openssl | 1 Openssl | 2024-02-28 | 1.9 LOW | 3.3 LOW |
| OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). | |||||
| CVE-2019-13050 | 5 F5, Fedoraproject, Gnupg and 2 more | 5 Traffix Signaling Delivery Controller, Fedora, Gnupg and 2 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. | |||||
| CVE-2019-1010275 | 1 Helm | 1 Helm | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2. | |||||
| CVE-2019-1940 | 1 Cisco | 1 Industrial Network Director | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection. An attacker could exploit this vulnerability by supplying a crafted X.509 certificate during the WSMA connection setup phase. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on WSMA connections to the affected software. At the time of publication, this vulnerability affected Cisco IND Software releases prior to 1.7. | |||||
| CVE-2019-11727 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11324 | 2 Canonical, Python | 2 Ubuntu Linux, Urllib3 | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. | |||||
| CVE-2018-20135 | 1 Samsung | 1 Galaxy Apps | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostname from the load balancer, and a missing app signature validation in the application XML. An attacker can exploit this vulnerability to achieve Remote Code Execution on the device. The Samsung ID is SVE-2018-12071. | |||||
| CVE-2019-1231 | 1 Microsoft | 1 Project Rome | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability exists in the way Rome SDK handles server SSL/TLS certificate validation, aka 'Rome SDK Information Disclosure Vulnerability'. | |||||
| CVE-2019-3890 | 2 Gnome, Redhat | 2 Evolution-ews, Enterprise Linux | 2024-02-28 | 5.8 MEDIUM | 8.1 HIGH |
| It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. | |||||
| CVE-2018-4436 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A certificate validation issue existed in configuration profiles. This was addressed with additional checks. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2. | |||||
| CVE-2019-12855 | 1 Twistedmatrix | 1 Twisted | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
| In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections. | |||||
| CVE-2019-3875 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | 5.8 MEDIUM | 4.8 MEDIUM |
| A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. | |||||
| CVE-2017-18588 | 1 Security-framework Project | 1 Security-framework | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the security-framework crate before 0.1.12 for Rust. Hostname verification for certificates does not occur if ClientBuilder uses custom root certificates. | |||||
| CVE-2019-4264 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtain sensitive information by spoofing a trusted entity using man in the middle techniques due to not validating or incorrectly validating a certificate. IBM X-Force ID: 160072. | |||||
| CVE-2019-1948 | 1 Cisco | 1 Webex Meetings | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data by using an invalid Secure Sockets Layer (SSL) certificate. The vulnerability is due to insufficient SSL certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted SSL certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. | |||||
| CVE-2019-1006 | 1 Microsoft | 13 .net Framework, Identitymodel, Sharepoint Enterprise Server and 10 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'. | |||||
| CVE-2019-7615 | 1 Elastic | 1 Apm-agent-ruby | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
| A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent. | |||||
| CVE-2019-10334 | 1 Jenkins | 1 Electricflow | 2024-02-28 | 5.8 MEDIUM | 6.5 MEDIUM |
| Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. | |||||
| CVE-2019-11497 | 1 Couchbase | 1 Couchbase Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed in version 5.5.0. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate. | |||||