Total
987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22278 | 2 Abb, Hitachienergy | 2 Update Manager, Pcm600 | 2023-05-16 | 4.6 MEDIUM | 6.7 MEDIUM |
| A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed. | |||||
| CVE-2022-39161 | 1 Ibm | 1 Websphere Application Server | 2023-05-12 | N/A | 5.3 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and IBM WebSphere Application Server Liberty, when configured to communicate with the Web Server Plug-ins for IBM WebSphere Application Server, could allow an authenticated user to conduct spoofing attacks. A man-in-the-middle attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 235069. | |||||
| CVE-2023-24461 | 3 Apple, F5, Microsoft | 3 Macos, Big-ip Access Policy Manager, Windows | 2023-05-10 | N/A | 5.9 MEDIUM |
| An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-48186 | 1 Lenovo | 1 Baiying | 2023-05-09 | N/A | 7.5 HIGH |
| A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure. | |||||
| CVE-2023-31485 | 1 Gitlab\ | 1 \ | 2023-05-08 | N/A | 5.9 MEDIUM |
| GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks. | |||||
| CVE-2022-45197 | 1 Slixmpp Project | 1 Slixmpp | 2023-05-03 | N/A | 7.5 HIGH |
| Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp. | |||||
| CVE-2023-28093 | 1 Pega | 1 Synchronization Engine | 2023-04-21 | N/A | 6.5 MEDIUM |
| A user with a compromised configuration can start an unsigned binary as a service. | |||||
| CVE-2023-30516 | 1 Jenkins | 1 Image Tag Parameter | 2023-04-21 | N/A | 6.5 MEDIUM |
| Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by default. | |||||
| CVE-2023-30517 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-04-21 | N/A | 5.3 MEDIUM |
| Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. | |||||
| CVE-2022-48437 | 1 Openbsd | 2 Libressl, Openbsd | 2023-04-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store errors that occur during leaf certificate verification, and therefore an incorrect error is returned. This behavior occurs when there is an installed verification callback that instructs the verifier to continue upon detecting an invalid certificate. | |||||
| CVE-2023-25392 | 1 Allegro | 1 Bigflow | 2023-04-14 | N/A | 5.9 MEDIUM |
| Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation. | |||||
| CVE-2023-29000 | 1 Nextcloud | 1 Desktop | 2023-04-11 | N/A | 6.5 MEDIUM |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. | |||||
| CVE-2022-27644 | 1 Netgear | 48 Cbr40, Cbr40 Firmware, Lbr1020 and 45 more | 2023-04-05 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15797. | |||||
| CVE-2022-32748 | 1 Schneider-electric | 1 Ecostruxure Cybersecurity Admin Expert | 2023-04-03 | N/A | 8.3 HIGH |
| A CWE-295: Improper Certificate Validation vulnerability exists that could cause the CAE software to give wrong data to end users when using CAE to configure devices. Additionally, credentials could leak which would enable an attacker the ability to log into the configuration tool and compromise other devices in the network. Affected Products: EcoStruxure™ Cybersecurity Admin Expert (CAE) (Versions prior to 2.2) | |||||
| CVE-2023-20963 | 1 Google | 1 Android | 2023-03-28 | N/A | 7.8 HIGH |
| In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519 | |||||
| CVE-2021-25636 | 2 Fedoraproject, Libreoffice | 2 Fedora, Libreoffice | 2023-03-27 | 5.0 MEDIUM | 7.5 HIGH |
| LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5. | |||||
| CVE-2022-26305 | 1 Libreoffice | 1 Libreoffice | 2023-03-26 | N/A | 7.5 HIGH |
| An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. | |||||
| CVE-2019-1683 | 1 Cisco | 28 Spa112, Spa112 Firmware, Spa500 and 25 more | 2023-03-23 | 5.8 MEDIUM | 7.4 HIGH |
| A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device. Affected software include version 7.6.2 of the Cisco Small Business SPA525 Series IP Phones and Cisco Small Business SPA5X5 Series IP Phones and version 1.4.2 of the Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA112 Series IP Phones. | |||||
| CVE-2022-27536 | 2 Apple, Golang | 2 Macos, Go | 2023-03-09 | 5.0 MEDIUM | 7.5 HIGH |
| Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. | |||||
| CVE-2022-39334 | 1 Nextcloud | 1 Desktop | 2023-03-06 | N/A | 4.7 MEDIUM |
| Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. | |||||