| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate. |
| vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack |
| A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red Hat CloudForms 5.x. |
| DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
| The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
| duplicity 0.6.24 has improper verification of SSL certificates |
| The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. |
| wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates. |
| wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. |
| ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate. |
| In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. |
| WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. |
| Cache Poisoning issue exists in DNS Response Rate Limiting. |
| HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. |
| Verax NMS prior to 2.10 allows authentication via the encrypted password without knowing the cleartext password. |
| An import error was introduced in Cumin in the code refactoring in r5310. Server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it. |
| ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Validation. |
| An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data. |
| nuSOAP before 0.7.3-5 does not properly check the hostname of a cert. |
| vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate) |
