Total
1004 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5909 | 4 Ge, Ptc, Rockwellautomation and 1 more | 8 Industrial Gateway Server, Keepserverex, Opc-aggregator and 5 more | 2024-02-28 | N/A | 7.5 HIGH |
| KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. | |||||
| CVE-2023-33757 | 1 Splicecom | 2 Ipcs, Ipcs2 | 2024-02-28 | N/A | 5.9 MEDIUM |
| A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack. | |||||
| CVE-2023-1514 | 1 Hitachienergy | 1 Rtu500 Scripting Interface | 2024-02-28 | N/A | 7.5 HIGH |
| A vulnerability exists in the component RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a Certification Authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service. An attacker could exploit the vulnerability by using faking the identity of a RTU500 device and intercepting the messages initiated via the RTU500 Scripting interface. | |||||
| CVE-2023-33760 | 1 Splicecom | 1 Maximiser Soft Pbx | 2024-02-28 | N/A | 5.3 MEDIUM |
| SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack. | |||||
| CVE-2023-43082 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2024-02-28 | N/A | 5.9 MEDIUM |
| Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | |||||
| CVE-2009-4123 | 1 Jruby | 1 Jruby-openssl | 2024-02-28 | N/A | 7.5 HIGH |
| The jruby-openssl gem before 0.6 for JRuby mishandles SSL certificate validation. | |||||
| CVE-2023-28807 | 1 Zscaler | 1 Secure Internet And Saas Access | 2024-02-28 | N/A | 7.5 HIGH |
| In Zscaler Internet Access (ZIA) a mismatch between Connect Host and Client Hello's Server Name Indication (SNI) enables attackers to evade network security controls by hiding their communications within legitimate traffic. | |||||
| CVE-2024-1052 | 1 Hashicorp | 1 Boundary | 2024-02-28 | N/A | 8.0 HIGH |
| Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application. | |||||
| CVE-2023-47700 | 1 Ibm | 1 Storage Virtualize | 2024-02-28 | N/A | 7.5 HIGH |
| IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize 8.6 products could allow a remote attacker to spoof a trusted system that would not be correctly validated by the Storwize server. This could lead to a user connecting to a malicious host, believing that it was a trusted system and deceived into accepting spoofed data. IBM X-Force ID: 271016. | |||||
| CVE-2023-43017 | 1 Ibm | 1 Security Verify Access | 2024-02-28 | N/A | 7.2 HIGH |
| IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. IBM X-Force ID: 266155. | |||||
| CVE-2023-48054 | 1 Localstack | 1 Localstack | 2024-02-28 | N/A | 7.4 HIGH |
| Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | |||||
| CVE-2023-42425 | 1 Turing | 2 Edge\+ Evc5fd, Edge\+ Evc5fd Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue in Turing Video Turing Edge+ EVC5FD v.1.38.6 allows remote attacker to execute arbitrary code and obtain sensitive information via the cloud connection components. | |||||
| CVE-2023-3724 | 1 Wolfssl | 1 Wolfssl | 2024-02-28 | N/A | 8.8 HIGH |
| If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. wolfSSL recommends that TLS 1.3 client side users update the version of wolfSSL used. | |||||
| CVE-2023-45613 | 1 Jetbrains | 1 Ktor | 2024-02-28 | N/A | 9.1 CRITICAL |
| In JetBrains Ktor before 2.3.5 server certificates were not verified | |||||
| CVE-2023-38356 | 1 Minitool | 1 Power Data Recovery | 2024-02-28 | N/A | 8.1 HIGH |
| MiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack. | |||||
| CVE-2022-3761 | 1 Openvpn | 1 Connect | 2024-02-28 | N/A | 5.9 MEDIUM |
| OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials | |||||
| CVE-2022-22380 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-02-28 | N/A | 4.3 MEDIUM |
| IBM Security Verify Privilege On-Premises 11.5 could allow an attacker to spoof a trusted entity due to improperly validating certificates. IBM X-Force ID: 221957. | |||||
| CVE-2023-35845 | 2 Anaconda, Linux | 2 Anaconda3, Linux Kernel | 2024-02-28 | N/A | 4.7 MEDIUM |
| Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected. | |||||
| CVE-2023-2422 | 1 Redhat | 4 Enterprise Linux, Keycloak, Openshift Container Platform and 1 more | 2024-02-28 | N/A | 7.1 HIGH |
| A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients. | |||||
| CVE-2023-30729 | 1 Samsung | 1 Email | 2024-02-28 | N/A | 7.5 HIGH |
| Improper Certificate Validation in Samsung Email prior to version 6.1.82.0 allows remote attacker to intercept the network traffic including sensitive information. | |||||