Common Weakness Enumeration

CWE-297

Allowed

Improper Validation of Certificate with Host Mismatch

Abstraction: Variant · Status: Incomplete

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

99 vulnerabilities reference this CWE, most recent first.

GHSA-RW69-WR48-W7PX

Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2023-12-01 00:31
VLAI
Details

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-30T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n",
  "id": "GHSA-rw69-wr48-w7px",
  "modified": "2023-12-01T00:31:00Z",
  "published": "2023-12-01T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5909"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC5P-V9HR-52MJ

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-19 22:08
VLAI
Summary
Apache Log4j does not verify the TLS hostname in its Socket Appender
Details

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

  • The attacker is able to intercept or redirect network traffic between the client and the log receiver.
  • The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0-beta9"
            },
            {
              "fixed": "2.25.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-19T22:08:02Z",
    "nvd_published_at": "2025-12-18T21:15:57Z",
    "severity": "MODERATE"
  },
  "details": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  [verifyHostName](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName)  configuration attribute or the  [log4j2.sslVerifyHostName](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
  "id": "GHSA-vc5p-v9hr-52mj",
  "modified": "2025-12-19T22:08:02Z",
  "published": "2025-12-18T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2/pull/4002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2/commit/3b93748497e1adbbd027fda8a5e7268ec5d0d578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/security.html#CVE-2025-68161"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/18/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Log4j does not verify the TLS hostname in its Socket Appender"
}

GHSA-VMVC-QPG6-JPWH

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-09-17 15:30
VLAI
Details

An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T14:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.",
  "id": "GHSA-vmvc-qpg6-jpwh",
  "modified": "2025-09-17T15:30:26Z",
  "published": "2025-09-15T15:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shinyColumn/CVE-2025-46408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWH7-VXVP-9VMX

Vulnerability from github – Published: 2025-07-22 15:32 – Updated: 2026-06-05 18:31
VLAI
Details

Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T14:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025.",
  "id": "GHSA-wwh7-vxvp-9vmx",
  "modified": "2026-06-05T18:31:31Z",
  "published": "2025-07-22T15:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4295"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0169"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0169"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9Q2-9WF7-RMVQ

Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31
VLAI
Details

Allow attackers to intercept or falsify data exchanges between the client and the server

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T13:15:49Z",
    "severity": null
  },
  "details": "Allow attackers to intercept or falsify data exchanges between the client \nand the server",
  "id": "GHSA-x9q2-9wf7-rmvq",
  "modified": "2024-06-11T15:31:13Z",
  "published": "2024-06-11T15:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2462"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000198\u0026languageCode=en\u0026Preview=true"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XCP8-J3HP-GGM2

Vulnerability from github – Published: 2022-05-17 01:21 – Updated: 2022-05-17 01:21
VLAI
Details

PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 before 14.1X53-D40, 14.2 before 14.2R7, 15.1 before 15.1R4, 15.1X49 before 15.1X49-D20, 15.1X53 before 15.1X53-D60, and 16.1 before 16.1R1 allow remote attackers to bypass an intended certificate validation mechanism via a self-signed certificate with an Issuer name that matches a valid CA certificate enrolled in Junos.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-09T14:05:00Z",
    "severity": "MODERATE"
  },
  "details": "PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 before 14.1X53-D40, 14.2 before 14.2R7, 15.1 before 15.1R4, 15.1X49 before 15.1X49-D20, 15.1X53 before 15.1X53-D60, and 16.1 before 16.1R1 allow remote attackers to bypass an intended certificate validation mechanism via a self-signed certificate with an Issuer name that matches a valid CA certificate enrolled in Junos.",
  "id": "GHSA-xcp8-j3hp-ggm2",
  "modified": "2022-05-17T01:21:44Z",
  "published": "2022-05-17T01:21:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1280"
    },
    {
      "type": "WEB",
      "url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10755"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91761"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036303"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP2H-P87P-622P

Vulnerability from github – Published: 2025-03-11 09:30 – Updated: 2025-03-11 15:30
VLAI
Details

The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297",
      "CWE-300"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T07:15:37Z",
    "severity": "HIGH"
  },
  "details": "The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks.",
  "id": "GHSA-xp2h-p87p-622p",
  "modified": "2025-03-11T15:30:59Z",
  "published": "2025-03-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2190"
    },
    {
      "type": "WEB",
      "url": "https://security.tecno.com/SRC/blogdetail/393?lang=en_US"
    },
    {
      "type": "WEB",
      "url": "https://security.tecno.com/SRC/securityUpdates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP6F-P933-2GQG

Vulnerability from github – Published: 2026-02-12 18:30 – Updated: 2026-02-20 18:31
VLAI
Details

Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T16:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.",
  "id": "GHSA-xp6f-p933-2gqg",
  "modified": "2026-02-20T18:31:26Z",
  "published": "2026-02-12T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-26214/CVE-2026-26214.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/XiaoMi/galaxy-fds-sdk-android"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/xiaomi-galaxy-fds-android-sdk-tls-hostname-verification-disabled-enables-mitm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XWF9-WF96-C767

Vulnerability from github – Published: 2026-06-16 03:30 – Updated: 2026-06-16 15:33
VLAI
Details

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T01:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Improper host validation in the social login autofill feature in \nDevolutions Remote Desktop Manager 2026.2.8 allows an attacker to \ndisclose stored social login credentials via a crafted web entry \npointing to a provider lookalike domain.",
  "id": "GHSA-xwf9-wf96-c767",
  "modified": "2026-06-16T15:33:47Z",
  "published": "2026-06-16T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12162"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

No CAPEC attack patterns related to this CWE.