Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-295
Total 821 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-6142 1 F5 1 Big-ip Advanced Firewall Manager 2018-02-06 5.8 MEDIUM 4.8 MEDIUM
X509 certificate verification was not correctly implemented in the early access "user id" feature in the F5 BIG-IP Advanced Firewall Manager versions 13.0.0, 12.1.0-12.1.2, and 11.6.0-11.6.2, and thus did not properly validate the remote server's identity on certain versions of BIG-IP.
CVE-2018-5258 1 Banconeon 1 Neon 2018-02-02 4.3 MEDIUM 5.9 MEDIUM
The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2015-2981 1 Yodobashi 1 Yodobashi 2018-02-01 4.3 MEDIUM 5.9 MEDIUM
The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2014-3607 1 Ldaptive 2 Ldaptive, Vt-ldap 2018-01-31 4.3 MEDIUM 5.9 MEDIUM
DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2015-2320 2 Debian, Mono-project 2 Debian Linux, Mono 2018-01-30 7.5 HIGH 9.8 CRITICAL
The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback.
CVE-2015-2319 1 Mono-project 1 Mono 2018-01-30 5.0 MEDIUM 7.5 HIGH
The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.
CVE-2015-2318 2 Debian, Mono-project 2 Debian Linux, Mono 2018-01-30 6.8 MEDIUM 8.1 HIGH
The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue.
CVE-2017-1000415 1 Matrixssl 1 Matrixssl 2018-01-26 4.3 MEDIUM 5.9 MEDIUM
MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation in its X.509 certificate validation process resulting in some certificates have their expiration (beginning) year extended (delayed) by 100 years.
CVE-2017-17718 1 Net-ldap Project 1 Net-ldap 2018-01-05 4.3 MEDIUM 5.9 MEDIUM
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.
CVE-2017-17716 1 Gitlab 1 Gitlab 2018-01-04 4.3 MEDIUM 5.9 MEDIUM
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem.
CVE-2014-3250 3 Apache, Puppet, Redhat 3 Http Server, Puppet, Linux 2017-12-27 4.0 MEDIUM 6.5 MEDIUM
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
CVE-2017-8213 1 Huawei 2 Smc2.0, Smc2.0 Firmware 2017-12-08 5.0 MEDIUM 5.3 MEDIUM
Huawei SMC2.0 with software of V100R003C10, V100R005C00SPC100, V100R005C00SPC101B001T, V100R005C00SPC102, V100R005C00SPC103, V100R005C00SPC200, V100R005C00SPC201T, V500R002C00, V600R006C00 has an input validation vulnerability when handle TLS and DTLS handshake with certificate. Due to the insufficient validation of received PKI certificates, remote attackers could exploit this vulnerability to crash the TLS module.
CVE-2017-1000209 1 Nv-websocket-client Project 1 Nv-websocket-client 2017-12-05 4.3 MEDIUM 5.9 MEDIUM
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.
CVE-2017-9758 1 Savitech-ic 1 Savitech Driver 2017-11-30 5.8 MEDIUM 7.4 HIGH
Savitech driver packages for Windows silently install a self-signed certificate into the Trusted Root Certification Authorities store, aka "Inaudible Subversion."
CVE-2017-6144 1 F5 1 Big-ip Policy Enforcement Manager 2017-11-15 5.8 MEDIUM 7.4 HIGH
In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.
CVE-2014-7242 1 Ms-ins 2 Sumaho, Sumaho Driving Capability Diagnosis 2017-11-08 4.3 MEDIUM 5.9 MEDIUM
The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates.
CVE-2014-3706 1 Redhat 1 Enterprise Mrg 2017-11-07 4.3 MEDIUM 5.9 MEDIUM
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.
CVE-2015-5639 1 Dwango 1 Niconico 2017-11-05 5.8 MEDIUM 7.4 HIGH
niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.
CVE-2015-2988 1 Rakutencard 1 Rakuten Card 2017-11-03 4.0 MEDIUM 7.4 HIGH
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.
CVE-2015-6358 1 Cisco 48 Pvc2300, Pvc2300 Firmware, Rtp300 and 45 more 2017-11-03 4.3 MEDIUM 5.9 MEDIUM
Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation, aka Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913.