CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-M9GH-789G-Q5PV
Vulnerability from github – Published: 2025-12-15 12:30 – Updated: 2025-12-16 15:52Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-alpha1"
},
{
"fixed": "8.19.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-beta1"
},
{
"fixed": "9.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "9.2.0"
},
{
"fixed": "9.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-37731"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T15:52:23Z",
"nvd_published_at": "2025-12-15T11:15:39Z",
"severity": "MODERATE"
},
"details": "Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.",
"id": "GHSA-m9gh-789g-q5pv",
"modified": "2025-12-16T15:52:24Z",
"published": "2025-12-15T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37731"
},
{
"type": "WEB",
"url": "https://github.com/elastic/elasticsearch/commit/cd97b8566bf56e628070021300784cb9cee0286f"
},
{
"type": "WEB",
"url": "https://github.com/elastic/elasticsearch/commit/d8a408da79f214395845d99d241e832077045983"
},
{
"type": "WEB",
"url": "https://github.com/elastic/elasticsearch/commit/e519fe4c51a3c887675eb7daea2f914738847f23"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063"
},
{
"type": "PACKAGE",
"url": "https://github.com/elastic/elasticsearch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates"
}
GHSA-M9W8-V359-9FFR
Vulnerability from github – Published: 2018-10-19 16:42 – Updated: 2022-11-17 19:38TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:activemq-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.15.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-11775"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:45:46Z",
"nvd_published_at": "2018-09-10T20:29:00Z",
"severity": "HIGH"
},
"details": "TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.",
"id": "GHSA-m9w8-v359-9ffr",
"modified": "2022-11-17T19:38:02Z",
"published": "2018-10-19T16:42:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11775"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq/commit/02971a40e281713a8397d3a1809c164b594abfbb"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq/commit/bde7097fb8173cf871827df7811b3865679b963d"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m9w8-v359-9ffr"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/activemq"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/AMQ-7047"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html"
},
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in Apache activemq-client"
}
GHSA-MC24-7M59-4Q5P
Vulnerability from github – Published: 2026-02-01 17:58 – Updated: 2026-02-27 20:41Impact
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. This does not apply to any other commands and only applies to the login command if the –cacert flag was not provided.
An attacker with network-level access between the Rancher CLI and Rancher Manager could interfere with the TLS handshake to return a CA they control, despite the use of the --skip-verify flag. This may be abused to bypass TLS as a security control. Attackers can also see basic authentication headers in a Man-in-the-Middle due to the lack of TLS enforcement.
Please consult the associated MITRE ATT&CK - Technique - Man-in-the-Middle for further information about this category of attack.
Patches
This vulnerability is addressed by removing the ability to fetch CA certificates stored in Rancher’s setting cacerts when using the login command. Whenever required, for example when using self-signed certificates, CA certificates have to be explicitly passed with the –cacert flag.
Patched versions of Rancher include releases v2.13.2, v2.12.6, v2.11.10, and v2.10.11.
Workarounds
If a projecct can't upgrade to a fixed version, please make sure whenever required, for example when using self-signed certificates, to always explicitly pass CA certificates with the –cacert flag when using the login command.
References
If there are any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with the support matrix and product support lifecycle.
Note: Rancher versions beyond 2.3.0-alpha5 are no longer supported at pkg.go.dev, follow Rancher installation instructions for newer versions.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260129092249-bb0625fd1896"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67601"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-01T17:58:57Z",
"nvd_published_at": "2026-02-25T11:16:02Z",
"severity": "HIGH"
},
"details": "### Impact\nA vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the `-skip-verify` flag to the Rancher CLI login command without also passing the `\u2013cacert` flag results in the CLI attempting to fetch CA certificates stored in Rancher\u2019s setting cacerts. This does not apply to any other commands and only applies to the login command if the `\u2013cacert` flag was not provided.\n\nAn attacker with network-level access between the Rancher CLI and Rancher Manager could interfere with the TLS handshake to return a CA they control, despite the use of the `--skip-verify` flag. This may be abused to bypass TLS as a security control. Attackers can also see basic authentication headers in a Man-in-the-Middle due to the lack of TLS enforcement.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Man-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by removing the ability to fetch CA certificates stored in Rancher\u2019s setting cacerts when using the login command. Whenever required, for example when using self-signed certificates, CA certificates have to be explicitly passed with the \u2013cacert flag.\n\nPatched versions of Rancher include releases `v2.13.2`, `v2.12.6`, `v2.11.10`, and `v2.10.11`.\n\n### Workarounds\nIf a projecct can\u0027t upgrade to a fixed version, please make sure whenever required, for example when using self-signed certificates, to always explicitly pass CA certificates with the \u2013cacert flag when using the login command.\n\n\n### References\nIf there are any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with the [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n\nNote: Rancher versions beyond 2.3.0-alpha5 are no longer supported at pkg.go.dev, follow [Rancher installation instructions for newer versions](https://ranchermanager.docs.rancher.com/v2.13/getting-started/installation-and-upgrade).",
"id": "GHSA-mc24-7m59-4q5p",
"modified": "2026-02-27T20:41:03Z",
"published": "2026-02-01T17:58:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67601"
},
{
"type": "WEB",
"url": "https://attack.mitre.org/techniques/T1557"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67601"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/rancher"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/releases/tag/v2.13.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rancher CLI skips TLS verification on Rancher CLI login command"
}
GHSA-MCJH-PCFV-25RH
Vulnerability from github – Published: 2026-05-12 06:31 – Updated: 2026-05-12 06:31"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
{
"affected": [],
"aliases": [
"CVE-2026-41872"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T06:16:09Z",
"severity": "CRITICAL"
},
"details": "\"Kura Sushi Official App\" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.",
"id": "GHSA-mcjh-pcfv-25rh",
"modified": "2026-05-12T06:31:39Z",
"published": "2026-05-12T06:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41872"
},
{
"type": "WEB",
"url": "https://apps.apple.com/jp/app/id942355925"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN38632731"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=jp.co.kura_corpo\u0026hl=ja"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MCQ7-35G4-3C5Q
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:27It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.
{
"affected": [],
"aliases": [
"CVE-2019-3890"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-01T14:15:00Z",
"severity": "HIGH"
},
"details": "It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.",
"id": "GHSA-mcq7-35g4-3c5q",
"modified": "2024-04-04T01:27:21Z",
"published": "2022-05-24T16:52:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3890"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3699"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3890"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/evolution-ews/issues/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF8R-M6VX-6FFF
Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-06-18 21:30An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system.
We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later
{
"affected": [],
"aliases": [
"CVE-2025-29885"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T16:15:25Z",
"severity": "HIGH"
},
"details": "An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following versions:\nFile Station 5 5.5.6.4791 and later\n and later",
"id": "GHSA-mf8r-m6vx-6fff",
"modified": "2025-06-18T21:30:28Z",
"published": "2025-06-06T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29885"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MFJ7-9XW3-8J4J
Vulnerability from github – Published: 2026-03-17 18:30 – Updated: 2026-03-23 21:30The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.
{
"affected": [],
"aliases": [
"CVE-2026-32293"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T18:16:16Z",
"severity": "MODERATE"
},
"details": "The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.",
"id": "GHSA-mfj7-9xw3-8j4j",
"modified": "2026-03-23T21:30:49Z",
"published": "2026-03-17T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32293"
},
{
"type": "WEB",
"url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2"
},
{
"type": "WEB",
"url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32293"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MFJR-XFRH-92CF
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2.0 through 7.2.3, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and various remote servers such as private SDN connectors and FortiToken Cloud.
{
"affected": [],
"aliases": [
"CVE-2023-50178"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T16:15:03Z",
"severity": "HIGH"
},
"details": "An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2.0 through 7.2.3, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and various remote servers such as private SDN connectors and FortiToken Cloud.",
"id": "GHSA-mfjr-xfrh-92cf",
"modified": "2024-07-09T18:30:48Z",
"published": "2024-07-09T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50178"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-22-298"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFM6-R9G2-Q4R7
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-06-17 00:05The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src"
},
"ranges": [
{
"events": [
{
"introduced": "300.0.0"
},
{
"fixed": "300.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1343"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T00:05:49Z",
"nvd_published_at": "2022-05-03T16:15:00Z",
"severity": "MODERATE"
},
"details": "The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL \"ocsp\" application. When verifying an ocsp response with the \"-no_cert_checks\" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"id": "GHSA-mfm6-r9g2-q4r7",
"modified": "2022-06-17T00:05:49Z",
"published": "2022-05-04T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1343"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/issues/405"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2eda98790c5c2741d76d23cc1e74b0dc4f4b391a"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0027.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220602-0009"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20220503.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "`OCSP_basic_verify` may incorrectly verify the response signing certificate"
}
GHSA-MFW6-89C3-F897
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.
{
"affected": [],
"aliases": [
"CVE-2020-8241"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Pulse Secure Desktop Client \u003c 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.",
"id": "GHSA-mfw6-89c3-f897",
"modified": "2022-05-24T17:32:43Z",
"published": "2022-05-24T17:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8241"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.