Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1907 vulnerabilities reference this CWE, most recent first.

GHSA-Q2XG-9R3Q-9VC3

Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-09-17 21:30
VLAI
Details

An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T16:15:28Z",
    "severity": "HIGH"
  },
  "details": "An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.4847 and later",
  "id": "GHSA-q2xg-9r3q-9vc3",
  "modified": "2025-09-17T21:30:41Z",
  "published": "2025-06-06T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33031"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q3H8-VXRG-HGJP

Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2022-05-14 01:39
VLAI
Details

The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-09T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-q3h8-vxrg-hgjp",
  "modified": "2022-05-14T01:39:52Z",
  "published": "2022-05-14T01:39:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16179"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU91640357/index.html"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=jp.co.mizuhobank.banking"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3JF-4X8J-368Q

Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-30 03:37
VLAI
Details

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T14:17:40Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO\u0027s SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster.",
  "id": "GHSA-q3jf-4x8j-368q",
  "modified": "2026-06-30T03:37:07Z",
  "published": "2026-06-22T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54100"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-54100"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487953"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54100.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3MX-XPWH-HMPQ

Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20
VLAI
Details

The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-02T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "The CMS installer in Joomla! before 3.7.4 does not verify a user\u0027s ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.",
  "id": "GHSA-q3mx-xpwh-hmpq",
  "modified": "2022-05-17T02:20:12Z",
  "published": "2022-05-17T02:20:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11364"
    },
    {
      "type": "WEB",
      "url": "https://developer.joomla.org/security-centre/700-20170704-core-installer-lack-of-ownership-verification.html"
    },
    {
      "type": "WEB",
      "url": "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Hanno-Boeck-Abusing-Certificate-Transparency-Logs.pdf"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/hanno/status/890281330906247168"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q43M-FFWR-RPCC

Vulnerability from github – Published: 2019-02-18 23:58 – Updated: 2021-01-08 18:18
VLAI
Summary
SSL Validation Defaults to False in electron-packager
Details

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

  1. Update to version 7.0.0 or later.
  2. Delete the electron-download cache folder, which is by default located at ~/.electron.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron-packager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.1"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:47Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Affected versions of `electron-packager` configure the generated application to disable SSL certificate verification by default. \n\nThis could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.\n\nThis only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.\n\n\n## Recommendation\n\n1. Update to version 7.0.0 or later.\n2. Delete the `electron-download` cache folder, which is by default located at `~/.electron`.",
  "id": "GHSA-q43m-ffwr-rpcc",
  "modified": "2021-01-08T18:18:07Z",
  "published": "2019-02-18T23:58:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10534"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron-userland/electron-packager/issues/333"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q43m-ffwr-rpcc"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/104"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "SSL Validation Defaults to False in electron-packager"
}

GHSA-Q4GV-PJMH-C735

Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-08 19:13
VLAI
Summary
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation
Details

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "open-cluster-management.io/ocm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:13:58Z",
    "nvd_published_at": "2026-04-07T15:17:46Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other managed clusters, including the hub cluster.",
  "id": "GHSA-q4gv-pjmh-c735",
  "modified": "2026-04-08T19:13:58Z",
  "published": "2026-04-07T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4740"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-cluster-management-io/ocm/commit/9e70cc1e21a15239c81111062c0b37df4b5a8026"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4740"
    },
    {
      "type": "WEB",
      "url": "https://blog.arfevrier.fr/open-cluster-management-cross-cluster-escape"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450590"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-cluster-management-io/OCM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation"
}

GHSA-Q4M2-33MJ-C7H8

Vulnerability from github – Published: 2025-11-12 21:31 – Updated: 2025-11-12 21:31
VLAI
Details

A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T20:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the application.",
  "id": "GHSA-q4m2-33mj-c7h8",
  "modified": "2025-11-12T21:31:08Z",
  "published": "2025-11-12T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12047"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/434327"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q4R8-XM5F-56GW

Vulnerability from github – Published: 2026-03-19 16:27 – Updated: 2026-04-08 11:57
VLAI
Summary
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Details

Summary

An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.

Details

SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.

As a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.

Authorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.

Mitigations

If you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.

Fix

In v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.

Acknowledgements

This issue was identified and reported by Prasanth Sundararajan.

Embargo List

If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.

Stay safe, and thank you for helping us keep the ecosystem secure.

If you have urgent questions, please contact security@smallstep.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/smallstep/certificates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T16:27:53Z",
    "nvd_published_at": "2026-03-19T21:17:09Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nAn attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.\n\n## Details\n\nSCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.\n\nAs a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.\n\nAuthorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.\n\n## Mitigations\n\nIf you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.\n\n## Fix\n\nIn v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.\n\n## Acknowledgements\n\nThis issue was identified and reported by Prasanth Sundararajan.\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\nStay safe, and thank you for helping us keep the ecosystem secure.\n\nIf you have urgent questions, please contact [security@smallstep.com](mailto:security@smallstep.com).",
  "id": "GHSA-q4r8-xm5f-56gw",
  "modified": "2026-04-08T11:57:49Z",
  "published": "2026-03-19T16:27:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/smallstep/certificates"
    },
    {
      "type": "WEB",
      "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)"
}

GHSA-Q4RW-R22F-CJ98

Vulnerability from github – Published: 2022-05-17 02:48 – Updated: 2022-05-17 02:48
VLAI
Details

Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-21T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates.",
  "id": "GHSA-q4rw-r22f-cj98",
  "modified": "2022-05-17T02:48:18Z",
  "published": "2022-05-17T02:48:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1186"
    },
    {
      "type": "WEB",
      "url": "https://support.cybozu.com/ja-jp/article/9480"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN91816422/index.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000056.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97976"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q4WW-5C58-73PX

Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-06-18 18:30
VLAI
Details

An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system.

We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T16:15:25Z",
    "severity": "HIGH"
  },
  "details": "An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following versions:\nFile Station 5 5.5.6.4791 and later\n  and later",
  "id": "GHSA-q4ww-5c58-73px",
  "modified": "2025-06-18T18:30:32Z",
  "published": "2025-06-06T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29883"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.