Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1906 vulnerabilities reference this CWE, most recent first.

GHSA-RPX3-3F8J-F6V2

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T16:17:04Z",
    "severity": "MODERATE"
  },
  "details": "aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.",
  "id": "GHSA-rpx3-3f8j-f6v2",
  "modified": "2026-05-13T18:30:57Z",
  "published": "2026-05-13T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8367"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2026-38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQMR-F8R9-69WQ

Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-09-25 03:30
VLAI
Details

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in libnbd. The client did not always correctly verify the NBD server\u0027s certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.",
  "id": "GHSA-rqmr-f8r9-69wq",
  "modified": "2024-09-25T03:30:35Z",
  "published": "2024-08-05T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7383"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6757"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7383"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865"
    },
    {
      "type": "WEB",
      "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2"
    },
    {
      "type": "WEB",
      "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RR3P-5FCF-V5M3

Vulnerability from github – Published: 2023-06-14 15:30 – Updated: 2024-01-30 23:13
VLAI
Summary
SSL/TLS certificate validation disabled by default in Jenkins Checkmarx Plugin
Details

Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2022.4.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.checkmarx.jenkins:checkmarx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2023.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T23:13:05Z",
    "nvd_published_at": "2023-06-14T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.",
  "id": "GHSA-rr3p-5fcf-v5m3",
  "modified": "2024-01-30T23:13:05Z",
  "published": "2023-06-14T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35142"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2870"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SSL/TLS certificate validation disabled by default in Jenkins Checkmarx Plugin"
}

GHSA-RRGX-WGV5-5HF9

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-16 15:33
VLAI
Details

In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T20:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).",
  "id": "GHSA-rrgx-wgv5-5hf9",
  "modified": "2026-06-16T15:33:47Z",
  "published": "2026-06-15T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45388"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/OSEC-2026-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRRJ-WQPH-2CMR

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48
VLAI
Details

The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: \"Utilization of USB/SD Card to flash the device\" and \"Remote provisioning process via ABB Panel Builder 600 over FTP.\" Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.",
  "id": "GHSA-rrrj-wqph-2cmr",
  "modified": "2022-05-24T16:48:37Z",
  "published": "2022-05-24T16:48:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7229"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://www.darkmatter.ae/xen1thlabs/abb-hmi-absence-of-signature-verification-vulnerability-xl-19-005"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153387/ABB-HMI-Missing-Signature-Verification.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Jun/34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVC6-CVQ7-4G2Q

Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-05 15:30
VLAI
Details

This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15797.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15797.",
  "id": "GHSA-rvc6-cvq7-4g2q",
  "modified": "2023-04-05T15:30:23Z",
  "published": "2023-03-29T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27644"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000064721/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0324"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVCJ-9XFM-M9HR

Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-12-23 18:30
VLAI
Details

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification

LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents.

LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.

In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false)

In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.

This issue affects LibreOffice before version 24.2.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T13:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Certificate Validation vulnerability in LibreOffice \"LibreOfficeKit\" mode disables TLS certification verification\n\nLibreOfficeKit can be used for accessing LibreOffice functionality \nthrough C/C++. Typically this is used by third party components to reuse\n LibreOffice as a library to convert, view or otherwise interact with \ndocuments.\n\nLibreOffice internally makes use of \"curl\" to fetch remote resources such as images hosted on webservers.\n\nIn\n affected versions of LibreOffice, when used in LibreOfficeKit mode \nonly, then curl\u0027s TLS certification verification was disabled \n(CURLOPT_SSL_VERIFYPEER of false)\n\nIn the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.\n\nThis issue affects LibreOffice before version 24.2.4.",
  "id": "GHSA-rvcj-9xfm-m9hr",
  "modified": "2025-12-23T18:30:19Z",
  "published": "2024-06-25T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5261"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RVPR-922X-MXGG

Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 15:30
VLAI
Details

Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T15:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.",
  "id": "GHSA-rvpr-922x-mxgg",
  "modified": "2025-11-13T15:30:31Z",
  "published": "2025-11-13T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30669"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RW69-WR48-W7PX

Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2023-12-01 00:31
VLAI
Details

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-30T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n",
  "id": "GHSA-rw69-wr48-w7px",
  "modified": "2023-12-01T00:31:00Z",
  "published": "2023-12-01T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5909"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWGM-F83R-V3QJ

Vulnerability from github – Published: 2021-05-19 23:03 – Updated: 2021-06-18 20:29
VLAI
Summary
Improper Certificate Validation in WP-CLI framework
Details

Impact

An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.

Patches

The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request.

The default behavior has been changed with version 2.5.0 of WP-CLI and the wp-cli/wp-cli framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the WP_CLI\Utils\http_request() method accepts an $insecure option that is false by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of WP_CLI\Utils\http_request(), including those in separate WP-CLI bundled or third-party packages.

https://github.com/wp-cli/wp-cli/pull/5523 has also added an --insecure flag to the cli update command to counter this breaking change.

Subsequent PRs on the command repositories have added an --insecure flag to the appropriate commands on the following repositories to counter the breaking change:

  • https://github.com/wp-cli/config-command/pull/128
  • https://github.com/wp-cli/core-command/pull/186
  • https://github.com/wp-cli/extension-command/pull/287
  • https://github.com/wp-cli/checksum-command/pull/86
  • https://github.com/wp-cli/package-command/pull/138

Workarounds

There is no direct workaround for the default insecure behavior of wp-cli/wp-cli versions before 2.5.0.

The workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the --insecure flag to manually opt-in to the previous insecure behavior.

References

For more information

If you have any questions or comments about this advisory: * Join the #cli channel in the WordPress.org Slack to ask questions or provide feedback.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wp-cli/wp-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-19T19:51:53Z",
    "nvd_published_at": "2021-06-07T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAn improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.\n\n### Patches\nThe vulnerability stems from the fact that the default behavior of `WP_CLI\\Utils\\http_request()` when encountering a TLS handshake error is to disable certificate validation and retry the same request.\n\nThe default behavior has been changed with version 2.5.0 of WP-CLI and the `wp-cli/wp-cli` framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the `WP_CLI\\Utils\\http_request()` method accepts an `$insecure` option that is `false` by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of `WP_CLI\\Utils\\http_request()`, including those in separate WP-CLI bundled or third-party packages.\n\nhttps://github.com/wp-cli/wp-cli/pull/5523 has also added an `--insecure` flag to the `cli update` command to counter this breaking change.\n\nSubsequent PRs on the command repositories have added an `--insecure` flag to the appropriate commands on the following repositories to counter the breaking change:\n\n* https://github.com/wp-cli/config-command/pull/128\n* https://github.com/wp-cli/core-command/pull/186\n* https://github.com/wp-cli/extension-command/pull/287\n* https://github.com/wp-cli/checksum-command/pull/86\n* https://github.com/wp-cli/package-command/pull/138\n\n### Workarounds\nThere is no direct workaround for the default insecure behavior of `wp-cli/wp-cli` versions before 2.5.0.\n\nThe workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the `--insecure` flag to manually opt-in to the previous insecure behavior.\n\n### References\n* [CWE: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Join the `#cli` channel in the [WordPress.org Slack](https://make.wordpress.org/chat/) to ask questions or provide feedback.\n",
  "id": "GHSA-rwgm-f83r-v3qj",
  "modified": "2021-06-18T20:29:34Z",
  "published": "2021-05-19T23:03:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/checksum-command/pull/86"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/config-command/pull/128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/core-command/pull/186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/extension-command/pull/287"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/package-command/pull/138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-cli/wp-cli/pull/5523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/wp-cli/wp-cli/CVE-2021-29504.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation in WP-CLI framework"
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.