Total
821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-4086 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate validation via crafted name constraints. | |||||
| CVE-2018-8970 | 1 Openbsd | 1 Libressl | 2018-04-24 | 5.8 MEDIUM | 7.4 HIGH |
| The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not. | |||||
| CVE-2015-4954 | 1 Ibm | 1 Bigfix Remote Control | 2018-04-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF0001 improperly allows self-signed certificates, which might allow remote attackers to conduct spoofing attacks via unspecified vectors. IBM X-Force ID: 105200. | |||||
| CVE-2018-5502 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure. | |||||
| CVE-2018-8059 | 1 Suse | 1 Portus | 2018-04-12 | 5.8 MEDIUM | 8.8 HIGH |
| The Djelibeybi configuration examples for use of NGINX in SUSE Portus 2.3, when applied to certain configurations involving Docker Compose, have a Missing SSL Certificate Validation issue because no proxy_ssl_* directives are used. | |||||
| CVE-2017-18227 | 1 Titanhq | 1 Webtitan Gateway | 2018-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| TitanHQ WebTitan Gateway has incorrect certificate validation for the TLS interception feature. | |||||
| CVE-2018-1000096 | 1 Tiny-json-http Project | 1 Tiny-json-http | 2018-04-11 | 6.8 MEDIUM | 8.1 HIGH |
| brianleroux tiny-json-http version all versions since commit 9b8e74a232bba4701844e07bcba794173b0238a8 (Oct 29 2016) contains a Missing SSL certificate validation vulnerability in The libraries core functionality is affected. that can result in Exposes the user to man-in-the-middle attacks. | |||||
| CVE-2016-9952 | 2 Haxx, Microsoft | 2 Curl, Windows Ce | 2018-04-10 | 6.8 MEDIUM | 8.1 HIGH |
| The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com." | |||||
| CVE-2018-6221 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 9.3 HIGH | 8.1 HIGH |
| An unvalidated software update vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a man-in-the-middle attacker to tamper with an update file and inject their own. | |||||
| CVE-2018-6219 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data. | |||||
| CVE-2018-0518 | 1 Linecorp | 1 Line | 2018-03-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2012-6709 | 2 Elinks, Twibright | 2 Elinks, Links | 2018-03-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Validation. | |||||
| CVE-2017-17455 | 1 Mahara | 1 Mahara | 2018-03-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present. | |||||
| CVE-2017-9968 | 1 Schneider-electric | 1 Igss Mobile | 2018-03-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| A security misconfiguration vulnerability exists in Schneider Electric's IGSS Mobile application versions 3.01 and prior in which a lack of certificate pinning during the TLS/SSL connection establishing process can result in a man-in-the-middle attack. | |||||
| CVE-2018-6827 | 1 Omninova | 2 Vobot, Vobot Firmware | 2018-03-08 | 6.8 MEDIUM | 8.1 HIGH |
| VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option. | |||||
| CVE-2017-12721 | 1 Smiths-medical | 1 Medfusion 4000 Wireless Syringe Infusion Pump | 2018-03-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack. | |||||
| CVE-2018-6374 | 1 Pulsesecure | 1 Desktop Linux Client | 2018-02-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set. | |||||
| CVE-2017-15341 | 1 Huawei | 8 Ar3200, Ar3200 Firmware, Te40 and 5 more | 2018-02-22 | 5.0 MEDIUM | 7.5 HIGH |
| Huawei AR3200 V200R008C20, V200R008C30, TE40 V600R006C00, TE50 V600R006C00, TE60 V600R006C00 have a denial of service vulnerability. The software decodes X.509 certificate in an improper way. A remote unauthenticated attacker could send a crafted X.509 certificate to the device. Successful exploit could result in a denial of service on the device. | |||||
| CVE-2018-5761 | 1 Rubrik | 1 Cdm | 2018-02-15 | 4.3 MEDIUM | 8.1 HIGH |
| A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter as Rubrik clusters did not verify TLS certificates presented by vCenter. | |||||
| CVE-2017-1000417 | 1 Matrixssl | 1 Matrixssl | 2018-02-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic resulting in possible spoofing of OIDs (e.g. in ExtKeyUsage extension) on X.509 certificates. | |||||