CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1903 vulnerabilities reference this CWE, most recent first.
GHSA-X5F3-QMWJ-4F84
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 11:32Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack.
Specific Go Packages Affected
github.com/cosmos/ethermint/rpc/namespaces/eth
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/ethermint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25835"
],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:11:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Cosmos Network Ethermint \u003c= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables \"cross-chain transaction replay\" attack.\n\n### Specific Go Packages Affected\ngithub.com/cosmos/ethermint/rpc/namespaces/eth",
"id": "GHSA-x5f3-qmwj-4f84",
"modified": "2023-10-02T11:32:33Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25835"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/ethermint/issues/687"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/ethermint/pull/692"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/ethermint/releases/tag/v0.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authentication bypass by capture-replay in github.com/cosmos/ethermint"
}
GHSA-X5HG-X4GV-J98M
Vulnerability from github – Published: 2026-05-07 00:09 – Updated: 2026-05-07 00:09Description
A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster's trusted CA) but an incorrect hostname SAN to join the cluster.
Impact
Clusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster's trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself — only the additional hostname verification check.
Patches
This issue is fixed in OpenSearch 2.19.4 and 3.3.0.
Workarounds
Use more restrictive values for plugins.security.nodes_dn to limit which certificates are accepted for node-to-node communication.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opensearch.plugin:opensearch-security"
},
"ranges": [
{
"events": [
{
"introduced": "2.18.0"
},
{
"fixed": "2.19.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opensearch.plugin:opensearch-security"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:09:18Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\nA regression was introduced in OpenSearch 2.18.0 that caused the `plugins.security.ssl.transport.enforce_hostname_verification` setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node\u0027s TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster\u0027s trusted CA) but an incorrect hostname SAN to join the cluster.\n\n### Impact\n\nClusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster\u0027s trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself \u2014 only the additional hostname verification check.\n\n### Patches\n\nThis issue is fixed in OpenSearch 2.19.4 and 3.3.0.\n\n### Workarounds\n\nUse more restrictive values for `plugins.security.nodes_dn` to limit which certificates are accepted for node-to-node communication.",
"id": "GHSA-x5hg-x4gv-j98m",
"modified": "2026-05-07T00:09:18Z",
"published": "2026-05-07T00:09:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opensearch-project/security/security/advisories/GHSA-x5hg-x4gv-j98m"
},
{
"type": "PACKAGE",
"url": "https://github.com/opensearch-project/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenSearch has ineffective TLS certificate hostname verification"
}
GHSA-X5PM-H33Q-CJRW
Vulnerability from github – Published: 2024-02-20 21:30 – Updated: 2024-08-15 21:37When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-mongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25141"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T02:27:37Z",
"nvd_published_at": "2024-02-20T21:15:08Z",
"severity": "CRITICAL"
},
"details": "When ssl\u00a0was enabled for Mongo Hook, default settings included \"allow_insecure\" which caused that certificates were not validated. This was unexpected and undocumented.\nUsers are recommended to upgrade to version 4.0.0, which fixes this issue.",
"id": "GHSA-x5pm-h33q-cjrw",
"modified": "2024-08-15T21:37:23Z",
"published": "2024-02-20T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25141"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/37214"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in apache airflow mongo hook"
}
GHSA-X5QP-6Q24-3MCQ
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42An issue was discovered in heinekingmedia StashCat before 1.5.18 for Android. No certificate pinning is implemented; therefore the attacker could issue a certificate for the backend and the application would not notice it.
{
"affected": [],
"aliases": [
"CVE-2017-11132"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-01T14:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in heinekingmedia StashCat before 1.5.18 for Android. No certificate pinning is implemented; therefore the attacker could issue a certificate for the backend and the application would not notice it.",
"id": "GHSA-x5qp-6q24-3mcq",
"modified": "2022-05-13T01:42:08Z",
"published": "2022-05-13T01:42:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11132"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Jul/90"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X654-4WJH-74Q6
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2024-01-30 22:46It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:ssh-slaves"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-2648"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T22:46:58Z",
"nvd_published_at": "2018-07-27T20:29:00Z",
"severity": "MODERATE"
},
"details": "It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.",
"id": "GHSA-x654-4wjh-74q6",
"modified": "2024-01-30T22:46:58Z",
"published": "2022-05-13T01:36:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2648"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2648"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2017-03-20"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Jenkins SSH Build Agents Plugin did not verify host keys"
}
GHSA-X6R5-VXFG-GQ3V
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-08-01 23:17helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1010275"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T23:17:41Z",
"nvd_published_at": "2019-07-17T21:15:00Z",
"severity": "CRITICAL"
},
"details": "helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.",
"id": "GHSA-x6r5-vxfg-gq3v",
"modified": "2023-08-01T23:17:41Z",
"published": "2022-05-24T16:50:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010275"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/pull/3152"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/1096813bf9a425e2aa4ac755b6c991b626dfab50"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v2.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Helm Improper Certificate Validation"
}
GHSA-X77C-2RV5-HHQQ
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2025-04-20 03:50Flash Seats Mobile App for Android version 1.7.9 and earlier and for iOS version 1.9.51 and earlier fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks.
{
"affected": [],
"aliases": [
"CVE-2017-3190"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-16T02:29:00Z",
"severity": "HIGH"
},
"details": "Flash Seats Mobile App for Android version 1.7.9 and earlier and for iOS version 1.9.51 and earlier fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks.",
"id": "GHSA-x77c-2rv5-hhqq",
"modified": "2025-04-20T03:50:04Z",
"published": "2022-05-13T01:36:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3190"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/247016"
},
{
"type": "WEB",
"url": "https://www.wilderssecurity.com/threads/flash-seats-mobile-app-for-ios-fails-to-validate-ssl-certificates.392553"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X77J-46HJ-595V
Vulnerability from github – Published: 2024-01-19 21:30 – Updated: 2024-01-30 15:30Cohesity DataProtect 6.8.1 and 6.6.0d was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation.
{
"affected": [],
"aliases": [
"CVE-2023-33295"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-19T20:15:10Z",
"severity": "MODERATE"
},
"details": "Cohesity DataProtect 6.8.1 and 6.6.0d was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation.",
"id": "GHSA-x77j-46hj-595v",
"modified": "2024-01-30T15:30:21Z",
"published": "2024-01-19T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33295"
},
{
"type": "WEB",
"url": "https://cohesity.com"
},
{
"type": "WEB",
"url": "https://github.com/cohesity/SecAdvisory/blob/master/CVE-2023-33295.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7F3-R5XV-V2V6
Vulnerability from github – Published: 2022-05-17 03:57 – Updated: 2024-02-14 18:30The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager. NOTE: this vulnerability was fixed in the summer of 2012, but the version number was not changed or is not known.
{
"affected": [],
"aliases": [
"CVE-2012-5810"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-11-04T22:55:00Z",
"severity": "MODERATE"
},
"details": "The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager. NOTE: this vulnerability was fixed in the summer of 2012, but the version number was not changed or is not known.",
"id": "GHSA-x7f3-r5xv-v2v6",
"modified": "2024-02-14T18:30:24Z",
"published": "2022-05-17T03:57:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5810"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/pub?id=1roBIeSJsYq3Ntpf6N0PIeeAAvu4ddn7mGo6Qb7aL7ew"
},
{
"type": "WEB",
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X8CH-H5VV-Q6CM
Vulnerability from github – Published: 2025-05-28 09:31 – Updated: 2025-05-30 18:31libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
{
"affected": [],
"aliases": [
"CVE-2025-5025"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T07:15:24Z",
"severity": "MODERATE"
},
"details": "libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.",
"id": "GHSA-x8ch-h5vv-q6cm",
"modified": "2025-05-30T18:31:01Z",
"published": "2025-05-28T09:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5025"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3153497"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-5025.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-5025.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/05/28/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.