CWE-297
AllowedImproper Validation of Certificate with Host Mismatch
Abstraction: Variant · Status: Incomplete
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
99 vulnerabilities reference this CWE, most recent first.
GHSA-7JWG-HQ85-C6M6
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-06 19:50Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections. There is currently no known workaround or fix for this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.smalltest:smalltest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41243"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T13:31:37Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections. There is currently no known workaround or fix for this issue.",
"id": "GHSA-7jwg-hq85-c6m6",
"modified": "2022-12-06T19:50:46Z",
"published": "2022-09-22T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41243"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/smalltest-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2068"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins SmallTest Plugin missing hostname validation"
}
GHSA-7PWC-H2J2-RJGJ
Vulnerability from github – Published: 2026-05-05 09:31 – Updated: 2026-06-02 22:10Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.22.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.thrift:libthrift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43869"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:19:58Z",
"nvd_published_at": "2026-05-05T08:16:01Z",
"severity": "HIGH"
},
"details": "Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version [0.23.0](https://github.com/apache/thrift/releases/tag/v0.23.0), which fixes the issue.",
"id": "GHSA-7pwc-h2j2-rjgj",
"modified": "2026-06-02T22:10:43Z",
"published": "2026-05-05T09:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43869"
},
{
"type": "WEB",
"url": "https://github.com/apache/thrift/commit/0919c3d5506151514e283a63e1fe1ce83e2449d8"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/thrift"
},
{
"type": "WEB",
"url": "https://github.com/apache/thrift/releases/tag/v0.23.0"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/05/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability"
}
GHSA-7Q9P-CX8R-RH2Q
Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-08 15:31When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.
{
"affected": [],
"aliases": [
"CVE-2025-15079"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T10:15:47Z",
"severity": "MODERATE"
},
"details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.",
"id": "GHSA-7q9p-cx8r-rh2q",
"modified": "2026-01-08T15:31:25Z",
"published": "2026-01-08T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15079"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3477116"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-15079.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-15079.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/01/07/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7XRH-HQFC-G7QR
Vulnerability from github – Published: 2026-03-07 09:30 – Updated: 2026-03-10 19:32Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24281"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T19:32:52Z",
"nvd_published_at": "2026-03-07T09:16:07Z",
"severity": "HIGH"
},
"details": "Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It\u0027s important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.",
"id": "GHSA-7xrh-hqfc-g7qr",
"modified": "2026-03-10T19:32:52Z",
"published": "2026-03-07T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24281"
},
{
"type": "WEB",
"url": "https://github.com/apache/zookeeper/commit/66c4efecdda1302d9cfb3af9eedb122b74452bf3"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/zookeeper"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-4986"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/07/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager"
}
GHSA-85RW-G4F4-JPRR
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-07 23:46It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise.
The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation.
The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store.
The hostname verification has been enforced in the new version of the LDAP API.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.directory.api:api-ldap-client-api"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35563"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T23:46:48Z",
"nvd_published_at": "2026-06-01T08:16:20Z",
"severity": "HIGH"
},
"details": "It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise.\n\nThe root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation.\n\nThe attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client\u0027s configured trust store.\n\nThe hostname verification has been enforced in the new version of the LDAP API.",
"id": "GHSA-85rw-g4f4-jprr",
"modified": "2026-07-07T23:46:48Z",
"published": "2026-06-01T09:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35563"
},
{
"type": "WEB",
"url": "https://github.com/apache/directory-ldap-api/commit/57a7726d8b6436c74945c12f5ba4e12d232d2bac"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/directory-ldap-api"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/5rc2nzqxp1m9wknyf93r8dnp46fhc1nn"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Apache Directory LDAP API lacks server certificate verification for LDAP hostnames"
}
GHSA-8PP4-FRH8-35PX
Vulnerability from github – Published: 2023-05-30 18:30 – Updated: 2024-04-04 04:23Dell NetWorker, contains an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port which could disallow replacing CA signed certificates.
{
"affected": [],
"aliases": [
"CVE-2023-24568"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T16:15:09Z",
"severity": "MODERATE"
},
"details": "\nDell NetWorker, contains an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port which could disallow replacing CA signed certificates.\n\n",
"id": "GHSA-8pp4-frh8-35px",
"modified": "2024-04-04T04:23:24Z",
"published": "2023-05-30T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24568"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000210963/dsa-2023-059-dell-networker-security-update-for-a-rabbitmq-vulnerability-related-to-improper-validation-of-hostname-in-rabbitmq-startup-script-which-fails-to-replace-ca-signed-certificates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8Q5C-2FV2-M4F5
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable vulnerability exists in the remote control functionality of Circle with Disney running firmware 2.0.1. SSL certificates for specific domain names can cause the rclient daemon to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-2911"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-07T16:29:00Z",
"severity": "MODERATE"
},
"details": "An exploitable vulnerability exists in the remote control functionality of Circle with Disney running firmware 2.0.1. SSL certificates for specific domain names can cause the rclient daemon to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.",
"id": "GHSA-8q5c-2fv2-m4f5",
"modified": "2022-05-13T01:01:14Z",
"published": "2022-05-13T01:01:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2911"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0418"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-962W-GJ84-VPR7
Vulnerability from github – Published: 2022-05-14 02:09 – Updated: 2022-05-14 02:09The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2014-3522"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-08-19T18:55:00Z",
"severity": "MODERATE"
},
"details": "The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"id": "GHSA-962w-gj84-vpr7",
"modified": "2022-05-14T02:09:29Z",
"published": "2022-05-14T02:09:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3522"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95090"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95311"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201610-05"
},
{
"type": "WEB",
"url": "https://subversion.apache.org/security/CVE-2014-3522-advisory.txt"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT204427"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/59432"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/59584"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60100"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60722"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/109996"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/69237"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2316-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9GMG-HFCH-X94J
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2026-06-09 12:31An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version 7.6.2 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy
{
"affected": [],
"aliases": [
"CVE-2025-25253"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T16:15:36Z",
"severity": "HIGH"
},
"details": "An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version 7.6.2 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy",
"id": "GHSA-9gmg-hfch-x94j",
"modified": "2026-06-09T12:31:59Z",
"published": "2025-10-14T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25253"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9GQ9-G9HM-VM5F
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-2913"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-07T16:29:00Z",
"severity": "MODERATE"
},
"details": "An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.",
"id": "GHSA-9gq9-g9hm-vm5f",
"modified": "2022-05-13T01:01:13Z",
"published": "2022-05-13T01:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2913"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0420"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
No CAPEC attack patterns related to this CWE.