Total
1039 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-5905 | 1 Dollar Bank | 1 Dollar Bank Mobile | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2017-5902 | 1 Payquicker | 1 Mypayquicker | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2017-5901 | 1 State Bank Of India | 1 State Bank Anywhere | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The State Bank of India State Bank Anywhere app 5.1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2017-5887 | 1 Starscream Project | 1 Starscream | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypass because pinning occurs in the stream function (this is too late; pinning should occur in the initStreamsWithData function). | |||||
CVE-2017-5653 | 1 Apache | 1 Cxf | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |||||
CVE-2017-4981 | 1 Dell | 1 Bsafe Cert-c | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
EMC RSA BSAFE Cert-C before 2.9.0.5 contains a potential improper certificate processing vulnerability. | |||||
CVE-2017-3563 | 1 Oracle | 1 Vm Virtualbox | 2024-11-21 | 4.6 MEDIUM | 8.8 HIGH |
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.0.38 and Prior to 5.1.20. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | |||||
CVE-2017-3213 | 1 Think Mutual Bank | 1 Think Mutual Bank Mobile Banking App | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The Think Mutual Bank Mobile Banking app 3.1.5 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2017-3212 | 1 Sccu | 1 Space Coast Credit Union | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The Space Coast Credit Union Mobile app 2.2 for iOS and 2.1.0.1104 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2017-3190 | 1 Axs | 1 Flash Seats | 2024-11-21 | 2.9 LOW | 7.5 HIGH |
Flash Seats Mobile App for Android version 1.7.9 and earlier and for iOS version 1.9.51 and earlier fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks. | |||||
CVE-2017-3182 | 1 Threatmetrix | 1 Threatmetrix Sdk | 2024-11-21 | 4.3 MEDIUM | 6.8 MEDIUM |
On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity capabilities. The ThreatMetrix SDK versions prior to 3.2 do not validate SSL certificates on the iOS platform. An affected application will communicate with https://h-sdk.online-metrix.net, regardless of whether the connection is secure or not. An attacker on the same network as or upstream from the iOS device may be able to view or modify ThreatMetrix network traffic that should have been protected by HTTPS. | |||||
CVE-2017-2913 | 1 Meetcircle | 2 Circle With Disney, Circle With Disney Firmware | 2024-11-21 | 2.6 LOW | 5.9 MEDIUM |
An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability. | |||||
CVE-2017-2836 | 2 Debian, Freerdp | 2 Debian Linux, Freerdp | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability. | |||||
CVE-2017-2800 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library. | |||||
CVE-2017-2784 | 1 Arm | 1 Mbed Tls | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. | |||||
CVE-2017-2667 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Hammer Cli | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks. | |||||
CVE-2017-2649 | 1 Jenkins | 1 Active Directory | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | |||||
CVE-2017-2648 | 1 Jenkins | 1 Ssh Slaves | 2024-11-21 | 6.8 MEDIUM | 6.8 MEDIUM |
It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | |||||
CVE-2017-2639 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. | |||||
CVE-2017-2629 | 1 Haxx | 1 Curl | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status). |