Total
821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24393 | 1 Tweetstream Project | 1 Tweetstream | 2021-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack. | |||||
| CVE-2021-27189 | 1 Cira | 1 Canadian Shield | 2021-02-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| The CIRA Canadian Shield app before 4.0.13 for iOS lacks SSL Certificate Validation. | |||||
| CVE-2020-24392 | 1 Twitter-stream Project | 1 Twitter-stream | 2021-02-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused). | |||||
| CVE-2020-13482 | 2 Em-http-request Project, Fedoraproject | 2 Em-http-request, Fedora | 2021-02-24 | 5.8 MEDIUM | 7.4 HIGH |
| EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified. | |||||
| CVE-2021-26911 | 2 Canarymail, Libmailcore | 2 Canary Mail, Mailcore2 | 2021-02-24 | 5.8 MEDIUM | 7.4 HIGH |
| core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode. | |||||
| CVE-2014-0363 | 1 Igniterealtime | 1 Smack | 2021-02-23 | 5.8 MEDIUM | N/A |
| The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. | |||||
| CVE-2019-17007 | 2 Mozilla, Siemens | 17 Network Security Services, Ruggedcom Rox Mx5000, Ruggedcom Rox Mx5000 Firmware and 14 more | 2021-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. | |||||
| CVE-2021-20649 | 1 Elecom | 2 Wrc-300febk-s, Wrc-300febk-s Firmware | 2021-02-14 | 5.8 MEDIUM | 4.8 MEDIUM |
| ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device. | |||||
| CVE-2021-0341 | 1 Google | 1 Android | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069 | |||||
| CVE-2020-5812 | 1 Tenable | 1 Nessus Amazon Machine Image | 2021-02-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. | |||||
| CVE-2021-1354 | 1 Cisco | 1 Unified Computing System Central Software | 2021-02-08 | 2.7 LOW | 3.5 LOW |
| A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). This vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to the registration API. A successful exploit could allow the attacker to register a rogue Cisco UCSM and gain access to Cisco UCS Central Software data and Cisco UCSM inventory data. | |||||
| CVE-2021-3285 | 1 Ti | 1 Code Composer Studio Intgrated Development Environment | 2021-02-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS. | |||||
| CVE-2021-3309 | 1 Wekan Project | 1 Wekan | 2021-02-02 | 6.8 MEDIUM | 8.1 HIGH |
| packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store, | |||||
| CVE-2016-2402 | 1 Squareup | 2 Okhttp, Okhttp3 | 2021-02-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. | |||||
| CVE-2021-1276 | 1 Cisco | 1 Data Center Network Manager | 2021-01-26 | 5.8 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter certain API requests. These vulnerabilities are due to insufficient certificate validation when establishing HTTPS requests with the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1277 | 1 Cisco | 1 Data Center Network Manager | 2021-01-26 | 5.8 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter certain API requests. These vulnerabilities are due to insufficient certificate validation when establishing HTTPS requests with the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-24025 | 1 Sass-lang | 1 Node-sass | 2021-01-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. | |||||
| CVE-2020-25680 | 1 Redhat | 1 Jboss Core Services Httpd | 2021-01-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2019-16281 | 1 Ptarmigan Project | 1 Ptarmigan | 2021-01-04 | 5.0 MEDIUM | 7.5 HIGH |
| Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block. | |||||
| CVE-2020-8289 | 1 Backblaze | 1 Backblaze | 2020-12-31 | 9.3 HIGH | 7.8 HIGH |
| Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality. | |||||