CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1903 vulnerabilities reference this CWE, most recent first.
GHSA-VF4W-FG7R-5V94
Vulnerability from github – Published: 2021-04-07 20:56 – Updated: 2021-04-23 00:22phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpseclib/phpseclib"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpseclib/phpseclib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-30130"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-07T17:29:49Z",
"nvd_published_at": "2021-04-06T15:15:00Z",
"severity": "HIGH"
},
"details": "phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.",
"id": "GHSA-vf4w-fg7r-5v94",
"modified": "2021-04-23T00:22:49Z",
"published": "2021-04-07T20:56:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30130"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/pull/1635"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2021-30130.yaml"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/releases/tag/2.0.31"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/releases/tag/3.0.7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in phpseclib"
}
GHSA-VF58-GGX8-PWP7
Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-11-25 15:31Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcurl/PHP transport options such that CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are effectively disabled, and environment variables (for example API_*_VERIFYSSL=false) are used to turn off verification for gateway and microservice endpoints. As a result, the client accepts TLS connections without validating server certificates (and, in some cases, uses clear-text HTTP), permitting on-path attackers to perform man-in-the-middle (MitM) attacks. An attacker able to intercept network traffic between the product and printers or microservices can eavesdrop on and modify sensitive data (including print jobs, configuration, and authentication tokens), inject malicious payloads, or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2025-34199"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T19:15:40Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to\u00a020.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcurl/PHP transport options such that CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are effectively disabled, and environment variables (for example API_*_VERIFYSSL=false) are used to turn off verification for gateway and microservice endpoints. As a result, the client accepts TLS connections without validating server certificates (and, in some cases, uses clear-text HTTP), permitting on-path attackers to perform man-in-the-middle (MitM) attacks. An attacker able to intercept network traffic between the product and printers or microservices can eavesdrop on and modify sensitive data (including print jobs, configuration, and authentication tokens), inject malicious payloads, or disrupt service.",
"id": "GHSA-vf58-ggx8-pwp7",
"modified": "2025-11-25T15:31:33Z",
"published": "2025-09-19T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34199"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-communications"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-ssl-verification-allows-mitm-attacks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VFXC-R2GX-V2VQ
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-09-29 16:02An issue was discovered in Hybrid Group Gobot before 1.13.0. The mqtt subsystem skips verification of root CA certificates by default.
Specific Go Packages Affected
github.com/hybridgroup/gobot/platforms/mqtt
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hybridgroup/gobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1-0.20190521122906-c1aa4f867846"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-12496"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T00:25:02Z",
"nvd_published_at": "2019-05-31T11:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Hybrid Group Gobot before 1.13.0. The mqtt subsystem skips verification of root CA certificates by default.\n\n### Specific Go Packages Affected\ngithub.com/hybridgroup/gobot/platforms/mqtt",
"id": "GHSA-vfxc-r2gx-v2vq",
"modified": "2023-09-29T16:02:16Z",
"published": "2022-05-24T16:46:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12496"
},
{
"type": "WEB",
"url": "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
},
{
"type": "PACKAGE",
"url": "https://github.com/hybridgroup/gobot"
},
{
"type": "WEB",
"url": "https://github.com/hybridgroup/gobot/compare/ed53198...7f973df"
},
{
"type": "WEB",
"url": "https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hybrid Group Gobot Improper Certificate Validation vulnerability"
}
GHSA-VG99-GR89-QHW9
Vulnerability from github – Published: 2026-07-13 18:37 – Updated: 2026-07-13 18:37Summary
The second stage pilot (pilot.tar) is downloaded by the initial wrapper script without any verification of the webservers' SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel.
Details
The pilot wrapper downloads and executes the main second stage pilot script, but the SSL validation on this connection is explicitly disabled (to match old python < 2.7.9 behaviour): https://github.com/DIRACGrid/DIRAC/blob/integration/src/DIRAC/WorkloadManagementSystem/Utilities/PilotWrapper.py#L292-L296
This means that the second stage pilot code is not verified in any way and could potentially be altered by a man-in-the-middle attack to execute arbitrary code in the pilot context (i.e. with access to the pilot proxy/credentials).
The HTTPS connection should be validated against both the system certificates and $X509_CERT_DIR and fail if neither validate correctly.
Impact
This would require a man-in-the-middle style attack against a grid site's network (i.e. changing the DNS or routing to redirect the pilot's connection); this is likely to be difficult which probably limits the potential impact.
Patched versions:
https://pypi.org/project/DIRAC/8.0.79/ https://pypi.org/project/DIRAC/9.0.22/ https://pypi.org/project/DIRAC/9.1.10/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "6.20.1"
},
{
"fixed": "8.0.79"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0a1"
},
{
"fixed": "9.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "9.1.0"
},
{
"fixed": "9.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-61668"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-13T18:37:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe second stage pilot (pilot.tar) is downloaded by the initial wrapper script without any verification of the webservers\u0027 SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel.\n\n### Details\nThe pilot wrapper downloads and executes the main second stage pilot script, but the SSL validation on this connection is explicitly disabled (to match old python \u003c 2.7.9 behaviour):\nhttps://github.com/DIRACGrid/DIRAC/blob/integration/src/DIRAC/WorkloadManagementSystem/Utilities/PilotWrapper.py#L292-L296\n\nThis means that the second stage pilot code is not verified in any way and could potentially be altered by a man-in-the-middle attack to execute arbitrary code in the pilot context (i.e. with access to the pilot proxy/credentials).\n\nThe HTTPS connection should be validated against both the system certificates and $X509_CERT_DIR and fail if neither validate correctly.\n\n### Impact\nThis would require a man-in-the-middle style attack against a grid site\u0027s network (i.e. changing the DNS or routing to redirect the pilot\u0027s connection); this is likely to be difficult which probably limits the potential impact.\n\n### Patched versions:\nhttps://pypi.org/project/DIRAC/8.0.79/\nhttps://pypi.org/project/DIRAC/9.0.22/\nhttps://pypi.org/project/DIRAC/9.1.10/",
"id": "GHSA-vg99-gr89-qhw9",
"modified": "2026-07-13T18:37:51Z",
"published": "2026-07-13T18:37:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-vg99-gr89-qhw9"
},
{
"type": "PACKAGE",
"url": "https://github.com/DIRACGrid/DIRAC"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/8.0.79"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/9.0.22"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/9.1.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "DIRAC: Pilot code downloaded over unverified HTTPS connection"
}
GHSA-VH73-Q3RW-QX7W
Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2024-02-05 23:06Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/boundary"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1052"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-05T23:06:56Z",
"nvd_published_at": "2024-02-05T21:15:11Z",
"severity": "HIGH"
},
"details": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.",
"id": "GHSA-vh73-q3rw-qx7w",
"modified": "2024-02-05T23:06:56Z",
"published": "2024-02-05T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1052"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/boundary"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Boundary vulnerable to session hijacking through TLS certificate tampering"
}
GHSA-VHCM-29FV-3VX5
Vulnerability from github – Published: 2024-12-16 18:31 – Updated: 2024-12-16 18:31An improper validation vulnerability was reported in the firmware update mechanism of LADM and LDCC that could allow a local attacker to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-4762"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T17:15:10Z",
"severity": "HIGH"
},
"details": "An improper validation vulnerability was reported in the firmware update mechanism of LADM and LDCC that could allow a local attacker to escalate privileges.",
"id": "GHSA-vhcm-29fv-3vx5",
"modified": "2024-12-16T18:31:09Z",
"published": "2024-12-16T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4762"
},
{
"type": "WEB",
"url": "https://support.lenovo.co/us/en/product_security/LEN-174319"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHFP-M358-H5G3
Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01An Improper Certificate Validation vulnerability
in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface
could allow a remote unauthenticated attacker to conduct a man-in-the-middle (MitM) attack. See SEL Service Bulletin dated 2022-11-15 for more details.
{
"affected": [],
"aliases": [
"CVE-2023-31151"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T20:15:10Z",
"severity": "MODERATE"
},
"details": "An Improper Certificate Validation vulnerability \n\nin the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface\n\ncould allow a remote unauthenticated attacker to conduct a man-in-the-middle (MitM) attack.\nSee SEL Service Bulletin dated 2022-11-15 for more details.\n\n\n\n\n",
"id": "GHSA-vhfp-m358-h5g3",
"modified": "2024-04-04T04:01:37Z",
"published": "2023-05-10T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31151"
},
{
"type": "WEB",
"url": "https://selinc.com/support/security-notifications/external-reports"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VHG4-6QHJ-G32H
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19Savitech driver packages for Windows silently install a self-signed certificate into the Trusted Root Certification Authorities store, aka "Inaudible Subversion."
{
"affected": [],
"aliases": [
"CVE-2017-9758"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-10T02:29:00Z",
"severity": "HIGH"
},
"details": "Savitech driver packages for Windows silently install a self-signed certificate into the Trusted Root Certification Authorities store, aka \"Inaudible Subversion.\"",
"id": "GHSA-vhg4-6qhj-g32h",
"modified": "2022-05-17T00:19:52Z",
"published": "2022-05-17T00:19:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9758"
},
{
"type": "WEB",
"url": "https://community.rsa.com/community/products/netwitness/blog/2017/10/27/inaudible-subversion-did-your-hi-fi-just-subvert-your-pc"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/446847"
},
{
"type": "WEB",
"url": "https://zeroday.hitcon.org/vulnerability/ZD-2017-00386"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101700"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ5R-MMP4-3HRX
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-12-15 20:44Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. Currently, there are no known workarounds or patches.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:cavisson-ns-nd-integration"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.8.0.146"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-38666"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:19:30Z",
"nvd_published_at": "2022-11-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. Currently, there are no known workarounds or patches.",
"id": "GHSA-vj5r-mmp4-3hrx",
"modified": "2022-12-15T20:44:46Z",
"published": "2022-11-16T12:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38666"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/cavisson-ns-nd-integration-plugin/releases"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2910%20(2)"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "SSL/TLS certificate validation unconditionally disabled by Jenkins NS-ND Integration Performance Publisher Plugin"
}
GHSA-VJGV-P598-G52V
Vulnerability from github – Published: 2022-05-14 03:23 – Updated: 2022-05-14 03:23An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network (for example, at site-to-site tunnels).
{
"affected": [],
"aliases": [
"CVE-2018-10066"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-13T13:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client\u0027s internal network (for example, at site-to-site tunnels).",
"id": "GHSA-vjgv-p598-g52v",
"modified": "2022-05-14T03:23:04Z",
"published": "2022-05-14T03:23:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10066"
},
{
"type": "WEB",
"url": "https://janis-streib.de/2018/04/11/mikrotik-openvpn-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.