Total
1042 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27098 | 1 Cncf | 1 Spire | 2021-03-16 | 5.5 MEDIUM | 8.1 HIGH |
| In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1. | |||||
| CVE-2021-22189 | 1 Gitlab | 1 Gitlab | 2021-03-10 | 6.5 MEDIUM | 7.2 HIGH |
| Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues. | |||||
| CVE-2020-13163 | 1 Em-imap Project | 1 Em-imap | 2021-03-04 | 5.8 MEDIUM | 7.4 HIGH |
| em-imap 0.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified. | |||||
| CVE-2021-3336 | 1 Wolfssl | 1 Wolfssl | 2021-03-04 | 6.8 MEDIUM | 8.1 HIGH |
| DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. | |||||
| CVE-2020-24393 | 1 Tweetstream Project | 1 Tweetstream | 2021-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack. | |||||
| CVE-2021-27189 | 1 Cira | 1 Canadian Shield | 2021-02-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| The CIRA Canadian Shield app before 4.0.13 for iOS lacks SSL Certificate Validation. | |||||
| CVE-2020-24392 | 1 Twitter-stream Project | 1 Twitter-stream | 2021-02-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused). | |||||
| CVE-2021-26911 | 2 Canarymail, Libmailcore | 2 Canary Mail, Mailcore2 | 2021-02-24 | 5.8 MEDIUM | 7.4 HIGH |
| core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode. | |||||
| CVE-2014-0363 | 1 Igniterealtime | 1 Smack | 2021-02-23 | 5.8 MEDIUM | N/A |
| The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. | |||||
| CVE-2019-17007 | 2 Mozilla, Siemens | 17 Network Security Services, Ruggedcom Rox Mx5000, Ruggedcom Rox Mx5000 Firmware and 14 more | 2021-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. | |||||
| CVE-2021-20649 | 1 Elecom | 2 Wrc-300febk-s, Wrc-300febk-s Firmware | 2021-02-15 | 5.8 MEDIUM | 4.8 MEDIUM |
| ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device. | |||||
| CVE-2021-0341 | 1 Google | 1 Android | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069 | |||||
| CVE-2020-5812 | 1 Tenable | 1 Nessus Amazon Machine Image | 2021-02-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. | |||||
| CVE-2021-3285 | 1 Ti | 1 Code Composer Studio Intgrated Development Environment | 2021-02-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS. | |||||
| CVE-2021-3309 | 1 Wekan Project | 1 Wekan | 2021-02-02 | 6.8 MEDIUM | 8.1 HIGH |
| packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store, | |||||
| CVE-2020-24025 | 1 Sass-lang | 1 Node-sass | 2021-01-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. | |||||
| CVE-2020-25680 | 1 Redhat | 1 Jboss Core Services Httpd | 2021-01-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2019-16281 | 1 Ptarmigan Project | 1 Ptarmigan | 2021-01-04 | 5.0 MEDIUM | 7.5 HIGH |
| Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block. | |||||
| CVE-2020-8289 | 1 Backblaze | 1 Backblaze | 2020-12-31 | 9.3 HIGH | 7.8 HIGH |
| Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality. | |||||
| CVE-2020-5684 | 1 Nec | 5 Ism Server, M120, M12e and 2 more | 2020-12-28 | 5.8 MEDIUM | 4.8 MEDIUM |
| iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate. | |||||