Total
821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7406 | 1 Dlink | 1 Dir-615 | 2021-04-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any of the authenticated pages. Also, it doesn't allow the user to generate his own SSL Certificate. An attacker can simply monitor network traffic to steal a user's credentials and/or credentials of users being added while sniffing the traffic. | |||||
| CVE-2021-3460 | 1 Motorola | 2 Mh702x, Mh702x Firmware | 2021-04-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker. | |||||
| CVE-2020-7924 | 1 Mongodb | 2 Database Tools, Mongomirror | 2021-04-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0. | |||||
| CVE-2021-22511 | 1 Microfocus | 1 Application Automation Tools | 2021-04-14 | 6.4 MEDIUM | 6.5 MEDIUM |
| Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates. | |||||
| CVE-2017-7429 | 2 Microfocus, Netiq | 2 Edirectory, Edirectory | 2021-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Patch 10 Hotfix 1 could be abused to upload JSP code which could be used by authenticated attackers to execute JSP applets on the iManager server. | |||||
| CVE-2021-27899 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 5.8 MEDIUM | 7.4 HIGH |
| The Proofpoint Insider Threat Management Agents (formerly ObserveIT Agent) for MacOS and Linux perform improper validation of the ITM Server's certificate, which enables a remote attacker to intercept and alter these communications using a man-in-the-middle attack. All versions before 7.11.1 are affected. Agents for Windows and Cloud are not affected. | |||||
| CVE-2016-4830 | 1 Akindo-sushiro | 1 Sushiro | 2021-04-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. | |||||
| CVE-2021-21373 | 1 Nim-lang | 1 Nim | 2021-03-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. | |||||
| CVE-2020-35733 | 2 Erlang, Fedoraproject | 2 Erlang\/otp, Fedora | 2021-03-31 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority. | |||||
| CVE-2021-21374 | 1 Nim-lang | 1 Nim | 2021-03-30 | 6.8 MEDIUM | 8.1 HIGH |
| Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. | |||||
| CVE-2021-21385 | 1 Mifos | 1 Mifos-mobile | 2021-03-30 | 5.8 MEDIUM | 7.4 HIGH |
| Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62. | |||||
| CVE-2021-1471 | 1 Cisco | 1 Jabber | 2021-03-29 | 6.8 MEDIUM | 5.6 MEDIUM |
| Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-29457 | 1 Opcfoundation | 1 Ua-.netstandard | 2021-03-26 | 2.1 LOW | 4.4 MEDIUM |
| A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could allow a rogue application to establish a secure connection. | |||||
| CVE-2021-27257 | 1 Netgear | 86 Br200, Br200 Firmware, Br500 and 83 more | 2021-03-17 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via FTP. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-12362. | |||||
| CVE-2021-27098 | 1 Cncf | 1 Spire | 2021-03-16 | 5.5 MEDIUM | 8.1 HIGH |
| In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1. | |||||
| CVE-2021-22189 | 1 Gitlab | 1 Gitlab | 2021-03-10 | 6.5 MEDIUM | 7.2 HIGH |
| Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues. | |||||
| CVE-2018-11775 | 2 Apache, Oracle | 3 Activemq, Enterprise Repository, Flexcube Private Banking | 2021-03-05 | 5.8 MEDIUM | 7.4 HIGH |
| TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. | |||||
| CVE-2020-13163 | 1 Em-imap Project | 1 Em-imap | 2021-03-04 | 5.8 MEDIUM | 7.4 HIGH |
| em-imap 0.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified. | |||||
| CVE-2021-3336 | 1 Wolfssl | 1 Wolfssl | 2021-03-04 | 6.8 MEDIUM | 8.1 HIGH |
| DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. | |||||
| CVE-2021-20327 | 1 Mongodb | 1 Libmongocrypt | 2021-03-04 | 4.3 MEDIUM | 6.8 MEDIUM |
| A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. | |||||