CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1906 vulnerabilities reference this CWE, most recent first.
GHSA-RPX3-3F8J-F6V2
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
{
"affected": [],
"aliases": [
"CVE-2026-8367"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:17:04Z",
"severity": "MODERATE"
},
"details": "aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.",
"id": "GHSA-rpx3-3f8j-f6v2",
"modified": "2026-05-13T18:30:57Z",
"published": "2026-05-13T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8367"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2026-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQMR-F8R9-69WQ
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-09-25 03:30A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.
{
"affected": [],
"aliases": [
"CVE-2024-7383"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T14:15:35Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libnbd. The client did not always correctly verify the NBD server\u0027s certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.",
"id": "GHSA-rqmr-f8r9-69wq",
"modified": "2024-09-25T03:30:35Z",
"published": "2024-08-05T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7383"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-7383"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865"
},
{
"type": "WEB",
"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2"
},
{
"type": "WEB",
"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RR3P-5FCF-V5M3
Vulnerability from github – Published: 2023-06-14 15:30 – Updated: 2024-01-30 23:13Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2022.4.3"
},
"package": {
"ecosystem": "Maven",
"name": "com.checkmarx.jenkins:checkmarx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2023.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-35142"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T23:13:05Z",
"nvd_published_at": "2023-06-14T13:15:11Z",
"severity": "HIGH"
},
"details": "Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.",
"id": "GHSA-rr3p-5fcf-v5m3",
"modified": "2024-01-30T23:13:05Z",
"published": "2023-06-14T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35142"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2870"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/06/14/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "SSL/TLS certificate validation disabled by default in Jenkins Checkmarx Plugin"
}
GHSA-RRGX-WGV5-5HF9
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-16 15:33In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).
{
"affected": [],
"aliases": [
"CVE-2026-45388"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T20:16:28Z",
"severity": "CRITICAL"
},
"details": "In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).",
"id": "GHSA-rrgx-wgv5-5hf9",
"modified": "2026-06-16T15:33:47Z",
"published": "2026-06-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45388"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/OSEC-2026-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRRJ-WQPH-2CMR
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.
{
"affected": [],
"aliases": [
"CVE-2019-7229"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-494"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-24T18:15:00Z",
"severity": "HIGH"
},
"details": "The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: \"Utilization of USB/SD Card to flash the device\" and \"Remote provisioning process via ABB Panel Builder 600 over FTP.\" Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.",
"id": "GHSA-rrrj-wqph-2cmr",
"modified": "2022-05-24T16:48:37Z",
"published": "2022-05-24T16:48:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7229"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://www.darkmatter.ae/xen1thlabs/abb-hmi-absence-of-signature-verification-vulnerability-xl-19-005"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153387/ABB-HMI-Missing-Signature-Verification.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Jun/34"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RVC6-CVQ7-4G2Q
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-05 15:30This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15797.
{
"affected": [],
"aliases": [
"CVE-2022-27644"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15797.",
"id": "GHSA-rvc6-cvq7-4g2q",
"modified": "2023-04-05T15:30:23Z",
"published": "2023-03-29T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27644"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000064721/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0324"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVCJ-9XFM-M9HR
Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-12-23 18:30Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification
LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents.
LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.
In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false)
In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.
This issue affects LibreOffice before version 24.2.4.
{
"affected": [],
"aliases": [
"CVE-2024-5261"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T13:15:50Z",
"severity": "CRITICAL"
},
"details": "Improper Certificate Validation vulnerability in LibreOffice \"LibreOfficeKit\" mode disables TLS certification verification\n\nLibreOfficeKit can be used for accessing LibreOffice functionality \nthrough C/C++. Typically this is used by third party components to reuse\n LibreOffice as a library to convert, view or otherwise interact with \ndocuments.\n\nLibreOffice internally makes use of \"curl\" to fetch remote resources such as images hosted on webservers.\n\nIn\n affected versions of LibreOffice, when used in LibreOfficeKit mode \nonly, then curl\u0027s TLS certification verification was disabled \n(CURLOPT_SSL_VERIFYPEER of false)\n\nIn the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.\n\nThis issue affects LibreOffice before version 24.2.4.",
"id": "GHSA-rvcj-9xfm-m9hr",
"modified": "2025-12-23T18:30:19Z",
"published": "2024-06-25T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5261"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RVPR-922X-MXGG
Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 15:30Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.
{
"affected": [],
"aliases": [
"CVE-2025-30669"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-13T15:15:51Z",
"severity": "MODERATE"
},
"details": "Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.",
"id": "GHSA-rvpr-922x-mxgg",
"modified": "2025-11-13T15:30:31Z",
"published": "2025-11-13T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30669"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RW69-WR48-W7PX
Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2023-12-01 00:31KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.
{
"affected": [],
"aliases": [
"CVE-2023-5909"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T22:15:10Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n",
"id": "GHSA-rw69-wr48-w7px",
"modified": "2023-12-01T00:31:00Z",
"published": "2023-12-01T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5909"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWGM-F83R-V3QJ
Vulnerability from github – Published: 2021-05-19 23:03 – Updated: 2021-06-18 20:29Impact
An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.
Patches
The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request.
The default behavior has been changed with version 2.5.0 of WP-CLI and the wp-cli/wp-cli framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the WP_CLI\Utils\http_request() method accepts an $insecure option that is false by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of WP_CLI\Utils\http_request(), including those in separate WP-CLI bundled or third-party packages.
https://github.com/wp-cli/wp-cli/pull/5523 has also added an --insecure flag to the cli update command to counter this breaking change.
Subsequent PRs on the command repositories have added an --insecure flag to the appropriate commands on the following repositories to counter the breaking change:
- https://github.com/wp-cli/config-command/pull/128
- https://github.com/wp-cli/core-command/pull/186
- https://github.com/wp-cli/extension-command/pull/287
- https://github.com/wp-cli/checksum-command/pull/86
- https://github.com/wp-cli/package-command/pull/138
Workarounds
There is no direct workaround for the default insecure behavior of wp-cli/wp-cli versions before 2.5.0.
The workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the --insecure flag to manually opt-in to the previous insecure behavior.
References
For more information
If you have any questions or comments about this advisory:
* Join the #cli channel in the WordPress.org Slack to ask questions or provide feedback.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wp-cli/wp-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "2.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29504"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-19T19:51:53Z",
"nvd_published_at": "2021-06-07T21:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAn improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.\n\n### Patches\nThe vulnerability stems from the fact that the default behavior of `WP_CLI\\Utils\\http_request()` when encountering a TLS handshake error is to disable certificate validation and retry the same request.\n\nThe default behavior has been changed with version 2.5.0 of WP-CLI and the `wp-cli/wp-cli` framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the `WP_CLI\\Utils\\http_request()` method accepts an `$insecure` option that is `false` by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of `WP_CLI\\Utils\\http_request()`, including those in separate WP-CLI bundled or third-party packages.\n\nhttps://github.com/wp-cli/wp-cli/pull/5523 has also added an `--insecure` flag to the `cli update` command to counter this breaking change.\n\nSubsequent PRs on the command repositories have added an `--insecure` flag to the appropriate commands on the following repositories to counter the breaking change:\n\n* https://github.com/wp-cli/config-command/pull/128\n* https://github.com/wp-cli/core-command/pull/186\n* https://github.com/wp-cli/extension-command/pull/287\n* https://github.com/wp-cli/checksum-command/pull/86\n* https://github.com/wp-cli/package-command/pull/138\n\n### Workarounds\nThere is no direct workaround for the default insecure behavior of `wp-cli/wp-cli` versions before 2.5.0.\n\nThe workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the `--insecure` flag to manually opt-in to the previous insecure behavior.\n\n### References\n* [CWE: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Join the `#cli` channel in the [WordPress.org Slack](https://make.wordpress.org/chat/) to ask questions or provide feedback.\n",
"id": "GHSA-rwgm-f83r-v3qj",
"modified": "2021-06-18T20:29:34Z",
"published": "2021-05-19T23:03:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29504"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/checksum-command/pull/86"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/config-command/pull/128"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/core-command/pull/186"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/extension-command/pull/287"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/package-command/pull/138"
},
{
"type": "WEB",
"url": "https://github.com/wp-cli/wp-cli/pull/5523"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/wp-cli/wp-cli/CVE-2021-29504.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in WP-CLI framework"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.