Total
821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7043 | 4 Fedoraproject, Openfortivpn Project, Openssl and 1 more | 5 Fedora, Openfortivpn, Openssl and 2 more | 2020-10-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishandles certificate validation because hostname comparisons do not consider '\0' characters, as demonstrated by a good.example.com\x00evil.example.com attack. | |||||
| CVE-2019-14910 | 1 Redhat | 1 Keycloak | 2020-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | |||||
| CVE-2016-11086 | 1 Oauth-ruby Project | 1 Oauth-ruby | 2020-10-05 | 5.8 MEDIUM | 7.4 HIGH |
| lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. | |||||
| CVE-2020-24560 | 2 Microsoft, Trendmicro | 6 Windows, Antivirus\+ 2019, Internet Security 2019 and 3 more | 2020-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-295: Improper server certificate verification in the communication with the update server. | |||||
| CVE-2020-7922 | 1 Mongodb | 1 Mongodb Enterprise Kubernetes Operator | 2020-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects: MongoDB Inc. MongoDB Enterprise Kubernetes Operator version 1.0, 1.1, 1.2 versions prior to 1.2.4, 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4. | |||||
| CVE-2020-4340 | 2 Ibm, Microsoft | 2 Security Secret Server, Windows | 2020-09-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Security Secret Server prior to 10.9 could allow an attacker to bypass SSL security due to improper certificate validation. IBM X-Force ID: 178180. | |||||
| CVE-2020-1113 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2020-09-28 | 9.3 HIGH | 7.5 HIGH |
| A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'. | |||||
| CVE-2018-1000500 | 1 Busybox | 1 Busybox | 2020-09-24 | 6.8 MEDIUM | 8.1 HIGH |
| Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | |||||
| CVE-2020-6781 | 1 Bosch | 1 Smart Home | 2020-09-22 | 5.8 MEDIUM | 7.4 HIGH |
| Improper certificate validation for certain connections in the Bosch Smart Home System App for iOS prior to version 9.17.1 potentially allows to intercept video contents by performing a man-in-the-middle attack. | |||||
| CVE-2020-2252 | 1 Jenkins | 1 Mailer | 2020-09-18 | 5.8 MEDIUM | 4.8 MEDIUM |
| Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. | |||||
| CVE-2020-2253 | 1 Jenkins | 1 Email Extension | 2020-09-18 | 5.8 MEDIUM | 4.8 MEDIUM |
| Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. | |||||
| CVE-2018-19946 | 1 Qnap | 1 Helpdesk | 2020-09-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. | |||||
| CVE-2020-25276 | 1 Primekey | 1 Ejbca | 2020-09-16 | 6.8 MEDIUM | 7.3 HIGH |
| An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.) | |||||
| CVE-2020-11617 | 2 Philips, Thomsonstb | 4 Dtr3502bfta Dvb-t2, Dtr3502bfta Dvb-t2 Firmware, Tht741fta and 1 more | 2020-09-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client. | |||||
| CVE-2020-15498 | 1 Asus | 2 Rt-ac1900p, Rt-ac1900p Firmware | 2020-09-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered on ASUS RT-AC1900P routers before 3.0.0.4.385_20253. The router accepts an arbitrary server certificate for a firmware update. The culprit is the --no-check-certificate option passed to wget tool used to download firmware update files. | |||||
| CVE-2020-24714 | 1 Scalyr | 1 Scalyr Agent | 2020-09-03 | 6.8 MEDIUM | 9.8 CRITICAL |
| The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, the openssl binary is called without the -verify_hostname option. | |||||
| CVE-2020-24715 | 1 Scalyr | 1 Scalyr Agent | 2020-09-03 | 6.8 MEDIUM | 9.8 CRITICAL |
| The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName. | |||||
| CVE-2020-24613 | 1 Wolfssl | 1 Wolfssl | 2020-09-01 | 4.9 MEDIUM | 6.8 MEDIUM |
| wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers. | |||||
| CVE-2019-18847 | 1 Akamai | 1 Enterprise Application Access | 2020-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| Enterprise Access Client Auto-Updater allows for Remote Code Execution prior to version 2.0.1. | |||||
| CVE-2018-15387 | 1 Cisco | 1 Sd-wan | 2020-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass certificate validation on an affected device. The vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by supplying a system image signed with a crafted certificate to an affected device, bypassing the certificate validation. An exploit could allow an attacker to deploy a crafted system image. | |||||