Total
1132 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49250 | 1 Apache | 1 Dolphinscheduler | 2025-02-13 | 7.3 High |
| Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue. | ||||
| CVE-2023-46724 | 2 Redhat, Squid-cache | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2025-02-13 | 8.6 High |
| Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. | ||||
| CVE-2024-29072 | 1 Foxitsoftware | 1 Foxit Reader | 2025-02-13 | 8.2 High |
| A privilege escalation vulnerability exists in the Foxit Reader 2024.2.0.25138. The vulnerability occurs due to improper certification validation of the updater executable before executing it. A low privilege user can trigger the update action which can result in unexpected elevation of privilege. | ||||
| CVE-2024-28162 | 2025-02-13 | 4.2 Medium | ||
| In Jenkins Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections fails to take effect until Jenkins is restarted when switching from disabled validation to enabled validation. | ||||
| CVE-2024-28161 | 2025-02-13 | 5.3 Medium | ||
| In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections is disabled by default. | ||||
| CVE-2024-25141 | 1 Apache | 1 Airflow Mongo Provider | 2025-02-13 | 9.1 Critical |
| When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue. | ||||
| CVE-2024-2379 | 1 Redhat | 1 Jboss Core Services | 2025-02-13 | 6.3 Medium |
| libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. | ||||
| CVE-2024-23273 | 1 Apple | 4 Ipad Os, Iphone Os, Macos and 1 more | 2025-02-13 | 4.3 Medium |
| This issue was addressed through improved state management. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Private Browsing tabs may be accessed without authentication. | ||||
| CVE-2024-2048 | 1 Hashicorp | 2 Vault, Vault Enterprise | 2025-02-13 | 8.1 High |
| Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10. | ||||
| CVE-2024-0853 | 1 Haxx | 1 Curl | 2025-02-13 | 5.3 Medium |
| curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. | ||||
| CVE-2023-1409 | 3 Apple, Microsoft, Mongodb | 3 Macos, Windows, Mongodb | 2025-02-13 | 5.3 Medium |
| If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. | ||||
| CVE-2023-39441 | 1 Apache | 3 Airflow, Apache-airflow-providers-imap, Apache-airflow-providers-smtp | 2025-02-13 | 5.9 Medium |
| Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability | ||||
| CVE-2023-34414 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-02-13 | 3.1 Low |
| The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. | ||||
| CVE-2023-26463 | 1 Strongswan | 1 Strongswan | 2025-02-13 | 9.8 Critical |
| strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10. | ||||
| CVE-2023-0464 | 2 Openssl, Redhat | 4 Openssl, Enterprise Linux, Jboss Core Services and 1 more | 2025-02-13 | 7.5 High |
| A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. | ||||
| CVE-2022-32509 | 2025-02-13 | 8.8 High | ||
| An issue was discovered on certain Nuki Home Solutions devices. Lack of certificate validation on HTTP communications allows attackers to intercept and tamper data. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Bridge v1 before 1.22.0 and Nuki Bridge v2 before 2.13.2. | ||||
| CVE-2024-29171 | 2025-02-13 | 5.9 Medium | ||
| Dell BSAFE SSL-J, versions prior to 6.6 and versions 7.0 through 7.2, contains an Improper certificate verification vulnerability. A remote attacker could potentially exploit this vulnerability, leading to information disclosure. | ||||
| CVE-2024-52329 | 2025-02-12 | 7.4 High | ||
| ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens. | ||||
| CVE-2024-52330 | 2025-02-12 | 7.4 High | ||
| ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates. | ||||
| CVE-2025-0500 | 2025-02-12 | 7.5 High | ||
| An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle. | ||||