Total
987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6517 | 1 Puppet | 1 Chloride | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is updated so that the user's known_hosts file is not updated by chloride. | |||||
| CVE-2017-6664 | 1 Cisco | 1 Ios Xe | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the Autonomic Networking feature of Cisco IOS XE Software could allow an unauthenticated, remote, autonomic node to access the Autonomic Networking infrastructure of an affected system, after the certificate for the autonomic node has been revoked. This vulnerability affected devices that are running Release 16.x of Cisco IOS XE Software and are configured to use Autonomic Networking. This vulnerability does not affect devices that are running an earlier release of Cisco IOS XE Software or devices that are not configured to use Autonomic Networking. More Information: CSCvd22328. Known Affected Releases: 15.5(1)S3.1 Denali-16.2.1. | |||||
| CVE-2017-8301 | 1 Openbsd | 1 Libressl | 2019-10-03 | 2.6 LOW | 5.3 MEDIUM |
| LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx. | |||||
| CVE-2018-10403 | 1 F-secure | 1 Xfence | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in F-Secure XFENCE and Little Flocker. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. | |||||
| CVE-2017-2387 | 1 Apple | 1 Apple Music | 2019-10-03 | 2.9 LOW | 4.8 MEDIUM |
| The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2019-11497 | 1 Couchbase | 1 Couchbase Server | 2019-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed in version 5.5.0. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate. | |||||
| CVE-2019-1231 | 1 Microsoft | 1 Project Rome | 2019-09-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability exists in the way Rome SDK handles server SSL/TLS certificate validation, aka 'Rome SDK Information Disclosure Vulnerability'. | |||||
| CVE-2019-16179 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration. | |||||
| CVE-2019-15525 | 1 Pw3270 Project | 1 Pw3270 | 2019-08-30 | 6.8 MEDIUM | 8.1 HIGH |
| There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1. | |||||
| CVE-2017-18588 | 1 Security-framework Project | 1 Security-framework | 2019-08-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the security-framework crate before 0.1.12 for Rust. Hostname verification for certificates does not occur if ClientBuilder uses custom root certificates. | |||||
| CVE-2019-5280 | 1 Huawei | 2 Cloudlink Phone 7900, Cloudlink Phone 7900 Firmware | 2019-08-27 | 5.8 MEDIUM | 6.5 MEDIUM |
| The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones. | |||||
| CVE-2019-14516 | 1 Uidai | 1 Maadhaar | 2019-08-19 | 5.8 MEDIUM | 7.4 HIGH |
| The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help. | |||||
| CVE-2017-18479 | 1 Cpanel | 1 Cpanel | 2019-08-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209). | |||||
| CVE-2019-11727 | 1 Mozilla | 1 Firefox | 2019-07-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11242 | 1 Cohesity | 1 Dataplatform | 2019-07-17 | 4.3 MEDIUM | 8.1 HIGH |
| A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter. This vulnerability could expose Cohesity user credentials configured to access vCenter. | |||||
| CVE-2019-5961 | 1 Mastodon-tootdon | 1 Tootdon For Mastodon | 2019-07-10 | 5.8 MEDIUM | 7.4 HIGH |
| The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-17945 | 1 Asus | 2 Hivivo, Vivobaby | 2019-07-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation. | |||||
| CVE-2017-17944 | 1 Asus | 2 Hivivo, Vivobaby | 2019-06-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation. | |||||
| CVE-2015-5619 | 2 Elastic, Elasticsearch | 2 Logstash, Logstash | 2019-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack. | |||||
| CVE-2018-20135 | 1 Samsung | 1 Galaxy Apps | 2019-06-11 | 6.8 MEDIUM | 8.1 HIGH |
| Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostname from the load balancer, and a missing app signature validation in the application XML. An attacker can exploit this vulnerability to achieve Remote Code Execution on the device. The Samsung ID is SVE-2018-12071. | |||||