Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-M6MG-MJQ2-V73R

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.",
  "id": "GHSA-m6mg-mjq2-v73r",
  "modified": "2022-05-24T19:11:05Z",
  "published": "2022-05-24T19:11:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32069"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-21-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M74J-PP4X-R2G8

Vulnerability from github – Published: 2022-05-14 01:30 – Updated: 2022-05-14 01:30
VLAI
Details

Cordaware bestinformed Microsoft Windows client before 6.2.1.0 is affected by insecure SSL certificate verification and insecure access patterns. These issues allow remote attackers to downgrade encrypted connections to cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-25T23:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Cordaware bestinformed Microsoft Windows client before 6.2.1.0 is affected by insecure SSL certificate verification and insecure access patterns. These issues allow remote attackers to downgrade encrypted connections to cleartext.",
  "id": "GHSA-m74j-pp4x-r2g8",
  "modified": "2022-05-14T01:30:10Z",
  "published": "2022-05-14T01:30:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6266"
    },
    {
      "type": "WEB",
      "url": "https://www.detack.de/en/cve-2019-6265-6266"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7JQ-XVR4-F7XC

Vulnerability from github – Published: 2022-11-04 19:01 – Updated: 2022-11-08 19:00
VLAI
Details

A vulnerability in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of certain TLS connections that are processed by an affected device. An attacker could exploit this vulnerability by establishing a large number of concurrent TLS connections to an affected device. A successful exploit could allow the attacker to cause the device to drop new TLS email messages that come from the associated email servers. Exploitation of this vulnerability does not cause the affected device to unexpectedly reload. The device will recover autonomously within a few hours of when the attack is halted or mitigated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of certain TLS connections that are processed by an affected device. An attacker could exploit this vulnerability by establishing a large number of concurrent TLS connections to an affected device. A successful exploit could allow the attacker to cause the device to drop new TLS email messages that come from the associated email servers. Exploitation of this vulnerability does not cause the affected device to unexpectedly reload. The device will recover autonomously within a few hours of when the attack is halted or mitigated.",
  "id": "GHSA-m7jq-xvr4-f7xc",
  "modified": "2022-11-08T19:00:23Z",
  "published": "2022-11-04T19:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20960"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-gdghHmbV"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-gdghHmbV"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7P8-9W66-9FRM

Vulnerability from github – Published: 2018-01-06 01:11 – Updated: 2023-01-23 21:24
VLAI
Summary
net-ldap Improper Certificate Validation vulnerability
Details

The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-17718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:45:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.",
  "id": "GHSA-m7p8-9w66-9frm",
  "modified": "2023-01-23T21:24:13Z",
  "published": "2018-01-06T01:11:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "net-ldap Improper Certificate Validation vulnerability"
}

GHSA-M835-W378-P8VP

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-27T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation.",
  "id": "GHSA-m835-w378-p8vp",
  "modified": "2022-05-24T19:18:57Z",
  "published": "2022-05-24T19:18:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36756"
    },
    {
      "type": "WEB",
      "url": "https://cfengine.com/blog/2021/cve-2021-38379-and-cve-2021-36756"
    },
    {
      "type": "WEB",
      "url": "https://cfengine.com/downloads/cfengine-enterprise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M8M3-3PMC-XJ5P

Vulnerability from github – Published: 2024-12-16 18:31 – Updated: 2024-12-16 18:31
VLAI
Details

An improper certificate validation vulnerability was reported in LADM that could allow a network attacker with the ability to redirect an update request to a remote server and execute code with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T17:15:14Z",
    "severity": "HIGH"
  },
  "details": "An improper certificate validation vulnerability was reported in LADM that could allow a network attacker with the ability to redirect an update request to a remote server and execute code with elevated privileges.",
  "id": "GHSA-m8m3-3pmc-xj5p",
  "modified": "2024-12-16T18:31:09Z",
  "published": "2024-12-16T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6001"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.co/us/en/product_security/LEN-174319"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8R2-QGR6-4GQM

Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-26 21:32
VLAI
Details

Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T20:17:09Z",
    "severity": "MODERATE"
  },
  "details": "Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA\u0027s permitted/excluded DNS name constraints could be accepted.",
  "id": "GHSA-m8r2-qgr6-4gqm",
  "modified": "2026-06-26T21:32:11Z",
  "published": "2026-06-25T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/pull/10549"
    },
    {
      "type": "WEB",
      "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M8X2-4GC8-9V3R

Vulnerability from github – Published: 2022-05-14 02:56 – Updated: 2022-12-12 17:01
VLAI
Summary
Jenkins CollabNet Plugin man in the middle vulnerability
Details

A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true. This feature applies to connections by this plugin only.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:collabnet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T17:01:53Z",
    "nvd_published_at": "2018-06-26T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true. This feature applies to connections by this plugin only.",
  "id": "GHSA-m8x2-4gc8-9v3r",
  "modified": "2022-12-12T17:01:53Z",
  "published": "2022-05-14T02:56:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000605"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/collabnet-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-941"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins CollabNet Plugin man in the middle vulnerability"
}

GHSA-M959-CC7F-WV43

Vulnerability from github – Published: 2026-03-27 19:56 – Updated: 2026-06-05 17:51
VLAI
Summary
cryptography has incomplete DNS name constraint enforcement on peer names
Details

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "46.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:56:21Z",
    "nvd_published_at": "2026-03-31T03:15:59Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go\u0027s `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal",
  "id": "GHSA-m959-cc7f-wv43",
  "modified": "2026-06-05T17:51:29Z",
  "published": "2026-03-27T19:56:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2026-35.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "cryptography has incomplete DNS name constraint enforcement on peer names"
}

GHSA-M998-32Q9-VXPX

Vulnerability from github – Published: 2025-01-23 18:31 – Updated: 2025-01-23 18:31
VLAI
Details

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T17:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.",
  "id": "GHSA-m998-32q9-vxpx",
  "modified": "2025-01-23T18:31:20Z",
  "published": "2025-01-23T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52330"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.