CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1905 vulnerabilities reference this CWE, most recent first.
GHSA-RX6Q-6V39-C6Q2
Vulnerability from github – Published: 2024-10-08 09:30 – Updated: 2024-10-08 09:30SSL Pinning Bypass in eWeLink Some hardware products allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device via Flash the modified firmware
{
"affected": [],
"aliases": [
"CVE-2024-7206"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T07:15:06Z",
"severity": "HIGH"
},
"details": "SSL Pinning Bypass\u00a0in\u00a0eWeLink Some hardware products\u00a0allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device\u00a0via Flash the modified firmware",
"id": "GHSA-rx6q-6v39-c6q2",
"modified": "2024-10-08T09:30:52Z",
"published": "2024-10-08T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7206"
},
{
"type": "WEB",
"url": "https://ewelink.cc/security-advisory-firmware-extraction-and-hardware-ssl-pinning-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V2Q7-X3PW-JC98
Vulnerability from github – Published: 2022-03-09 00:00 – Updated: 2025-08-12 12:30A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V5.6.0), RUGGEDCOM ROS RMC8388 devices (All versions < V5.6.0), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS900G (All versions < V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2288 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG900 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG920P V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < V5.6.0), RUGGEDCOM ROS RST2228 (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < V5.6.0), RUGGEDCOM ROS RST916P (All versions < V5.6.0). A new variant of the POODLE attack has left a third-party component vulnerable due to the implementation flaws of the CBC encryption mode in TLS 1.0 to 1.2. If an attacker were to exploit this, they could act as a man-in-the-middle and eavesdrop on encrypted communications.
{
"affected": [],
"aliases": [
"CVE-2021-42017"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-08T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC8388 devices (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416v2 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2288 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300P V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2488 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG920P V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSL910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST2228 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916C (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916P (All versions \u003c V5.6.0). A new variant of the POODLE attack has left a third-party component vulnerable due to the implementation flaws of the CBC encryption mode in TLS 1.0 to 1.2. If an attacker were to exploit this, they could act as a man-in-the-middle and eavesdrop on encrypted communications.",
"id": "GHSA-v2q7-x3pw-jc98",
"modified": "2025-08-12T12:30:31Z",
"published": "2022-03-09T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42017"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-256353.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-256353.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2XC-3R7V-9VRM
Vulnerability from github – Published: 2025-02-04 15:31 – Updated: 2025-11-03 21:32Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
{
"affected": [],
"aliases": [
"CVE-2025-1014"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T14:15:32Z",
"severity": "HIGH"
},
"details": "Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox \u003c 135, Firefox ESR \u003c 128.7, Thunderbird \u003c 128.7, and Thunderbird \u003c 135.",
"id": "GHSA-v2xc-3r7v-9vrm",
"modified": "2025-11-03T21:32:36Z",
"published": "2025-02-04T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1014"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940804"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-07"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-09"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V355-7MQG-QJ9C
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
{
"affected": [],
"aliases": [
"CVE-2026-7009"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T13:01:57Z",
"severity": "MODERATE"
},
"details": "When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as *OCSP stapling*, to verify that the server certificate is\nvalid, it fails to detect OCSP problems and instead wrongly consider the\nresponse as fine.",
"id": "GHSA-v355-7mqg-qj9c",
"modified": "2026-05-13T18:30:52Z",
"published": "2026-05-13T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7009"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3694390"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-7009.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-7009.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3RF-32HP-HFHF
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Insufficient validation of the AMD SEV Signing Key (ASK) in the SEND_START command in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP
{
"affected": [],
"aliases": [
"CVE-2021-26320"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-16T19:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient validation of the AMD SEV Signing Key (ASK) in the SEND_START command in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP",
"id": "GHSA-v3rf-32hp-hfhf",
"modified": "2022-05-24T19:20:47Z",
"published": "2022-05-24T19:20:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26320"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V3WX-9J8M-4934
Vulnerability from github – Published: 2025-02-10 15:32 – Updated: 2025-02-10 18:30Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and earlier on Windows allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack by presenting a certificate for a different host.
{
"affected": [],
"aliases": [
"CVE-2025-1193"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-10T14:15:30Z",
"severity": "HIGH"
},
"details": "Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and earlier on Windows allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack \nby presenting a certificate for a different host.",
"id": "GHSA-v3wx-9j8m-4934",
"modified": "2025-02-10T18:30:46Z",
"published": "2025-02-10T15:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1193"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V473-H83F-X76X
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
{
"affected": [],
"aliases": [
"CVE-2017-2623"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-27T18:29:00Z",
"severity": "MODERATE"
},
"details": "It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.",
"id": "GHSA-v473-h83f-x76x",
"modified": "2022-05-13T01:36:52Z",
"published": "2022-05-13T01:36:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2623"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0444"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V49P-M6GH-747C
Vulnerability from github – Published: 2024-12-13 06:30 – Updated: 2025-02-21 16:08Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "djoser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21543"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-13T20:37:27Z",
"nvd_published_at": "2024-12-13T05:15:07Z",
"severity": "HIGH"
},
"details": "Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.",
"id": "GHSA-v49p-m6gh-747c",
"modified": "2025-02-21T16:08:48Z",
"published": "2024-12-13T06:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21543"
},
{
"type": "WEB",
"url": "https://github.com/sunscrapers/djoser/issues/795"
},
{
"type": "WEB",
"url": "https://github.com/sunscrapers/djoser/pull/819"
},
{
"type": "WEB",
"url": "https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/djoser/PYSEC-2024-158.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sunscrapers/djoser"
},
{
"type": "WEB",
"url": "https://github.com/sunscrapers/djoser/releases/tag/2.3.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00023.html"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "djoser Authentication Bypass"
}
GHSA-V4CJ-7V9R-2F8Q
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank app 3.0.0 -- aka scsb-shelbyville-il-mobile-banking/id938960224 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9589"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The \"SCSB Shelbyville IL Mobile Banking\" by Shelby County State Bank app 3.0.0 -- aka scsb-shelbyville-il-mobile-banking/id938960224 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-v4cj-7v9r-2f8q",
"modified": "2025-04-20T03:39:13Z",
"published": "2022-05-17T02:39:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9589"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V4H7-R9V8-HP3G
Vulnerability from github – Published: 2023-02-02 00:30 – Updated: 2023-02-09 21:30Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.
{
"affected": [],
"aliases": [
"CVE-2022-3913"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T22:15:00Z",
"severity": "MODERATE"
},
"details": "Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server\u0027s FQDN or redirect legitimate traffic to the attacker\u0027s server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.",
"id": "GHSA-v4h7-r9v8-hp3g",
"modified": "2023-02-09T21:30:28Z",
"published": "2023-02-02T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3913"
},
{
"type": "WEB",
"url": "https://docs.rapid7.com/release-notes/nexpose/20230201"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/2022/12/07/cve-2022-4261-rapid7-nexpose-update-validation-issue-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.