Total
1090 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11580 | 4 Apple, Linux, Oracle and 1 more | 5 Macos, Linux Kernel, Solaris and 2 more | 2024-08-04 | 9.1 Critical |
| An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate. | ||||
| CVE-2020-11050 | 1 Java-websocket Project | 1 Java-websocket | 2024-08-04 | 9 Critical |
| In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0. | ||||
| CVE-2020-10925 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-08-04 | 8.8 High |
| This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9647. | ||||
| CVE-2020-10659 | 2 Entrustdatacard, Microsoft | 2 Entelligence Security Provider, Windows | 2024-08-04 | 4.3 Medium |
| Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site that has an invalid certificate chain. | ||||
| CVE-2020-9868 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2024-08-04 | 9.1 Critical |
| A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate. | ||||
| CVE-2020-9488 | 5 Apache, Debian, Oracle and 2 more | 53 Log4j, Debian Linux, Communications Application Session Controller and 50 more | 2024-08-04 | 3.7 Low |
| Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 | ||||
| CVE-2020-9432 | 1 Lua-openssl Project | 1 Lua-openssl | 2024-08-04 | 9.1 Critical |
| openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | ||||
| CVE-2020-9434 | 1 Lua-openssl Project | 1 Lua-openssl | 2024-08-04 | 9.1 Critical |
| openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | ||||
| CVE-2020-9433 | 1 Lua-openssl Project | 1 Lua-openssl | 2024-08-04 | 9.1 Critical |
| openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. | ||||
| CVE-2020-9321 | 1 Traefik | 1 Traefik | 2024-08-04 | 7.5 High |
| configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging. | ||||
| CVE-2020-9040 | 1 Couchbase | 1 Couchbase Server Java Sdk | 2024-08-04 | 7.5 High |
| Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname verification. | ||||
| CVE-2020-8987 | 1 Avast | 2 Antitrack, Avg Antitrack | 2024-08-04 | 7.4 High |
| Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.) | ||||
| CVE-2020-8289 | 1 Backblaze | 1 Backblaze | 2024-08-04 | 7.8 High |
| Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality. | ||||
| CVE-2020-8279 | 1 Nextcloud | 1 Social | 2024-08-04 | 7.4 High |
| Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack. | ||||
| CVE-2020-8172 | 3 Nodejs, Oracle, Redhat | 8 Node.js, Banking Extensibility Workbench, Blockchain Platform and 5 more | 2024-08-04 | 7.4 High |
| TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||||
| CVE-2020-8156 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Mail | 2024-08-04 | 7.0 High |
| A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. | ||||
| CVE-2020-7956 | 1 Hashicorp | 1 Nomad | 2024-08-04 | 9.8 Critical |
| HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. | ||||
| CVE-2020-7942 | 2 Puppet, Redhat | 4 Puppet, Puppet Agent, Satellite and 1 more | 2024-08-04 | 6.5 Medium |
| Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19 | ||||
| CVE-2020-7919 | 4 Debian, Fedoraproject, Golang and 1 more | 4 Debian Linux, Fedora, Go and 1 more | 2024-08-04 | 7.5 High |
| Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | ||||
| CVE-2020-7904 | 1 Jetbrains | 1 Intellij Idea | 2024-08-04 | 7.4 High |
| In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. | ||||