CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1903 vulnerabilities reference this CWE, most recent first.
GHSA-WRGJ-7835-QFH2
Vulnerability from github – Published: 2026-01-29 06:30 – Updated: 2026-01-29 06:30Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates.
{
"affected": [],
"aliases": [
"CVE-2025-53869"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-29T04:15:51Z",
"severity": "MODERATE"
},
"details": "Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates.",
"id": "GHSA-wrgj-7835-qfh2",
"modified": "2026-01-29T06:30:17Z",
"published": "2026-01-29T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53869"
},
{
"type": "WEB",
"url": "https://faq.brother.co.jp/app/answers/detail/a_id/13716"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU92878805"
},
{
"type": "WEB",
"url": "https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf"
},
{
"type": "WEB",
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WRMR-2JQG-XW9R
Vulnerability from github – Published: 2022-06-02 00:00 – Updated: 2022-06-09 00:00Dell BSAFE Micro Edition Suite, versions prior to 4.5.1, contain an Improper Certificate Validation vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-26184"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-01T15:15:00Z",
"severity": "HIGH"
},
"details": "Dell BSAFE Micro Edition Suite, versions prior to 4.5.1, contain an Improper Certificate Validation vulnerability.",
"id": "GHSA-wrmr-2jqg-xw9r",
"modified": "2022-06-09T00:00:16Z",
"published": "2022-06-02T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26184"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/article/en-us/sln322935/dsa-2020-245-dell-bsafe-micro-edition-suite-multiple-vulnerabilities?lang=en"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WRPJ-755P-X363
Vulnerability from github – Published: 2026-03-31 00:31 – Updated: 2026-04-01 23:10Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.
This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.
Users are recommended to upgrade to version 1.12.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32794"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:10:14Z",
"nvd_published_at": "2026-03-30T22:16:18Z",
"severity": "MODERATE"
},
"details": "Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.\n\nThis issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.\n\nUsers are recommended to upgrade to version 1.12.0, which fixes the issue.",
"id": "GHSA-wrpj-755p-x363",
"modified": "2026-04-01T23:10:14Z",
"published": "2026-03-31T00:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32794"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/63704"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp53hnz5nb"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/30/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange"
}
GHSA-WRW6-8JH4-QVCX
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 18:33X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier's maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.
{
"affected": [],
"aliases": [
"CVE-2026-11999"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T18:16:37Z",
"severity": "HIGH"
},
"details": "X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier\u0027s maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.",
"id": "GHSA-wrw6-8jh4-qvcx",
"modified": "2026-06-26T18:33:48Z",
"published": "2026-06-25T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11999"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10674"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WW4W-R53V-2M63
Vulnerability from github – Published: 2022-05-17 00:28 – Updated: 2022-05-17 00:28Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2015-2988"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T16:29:00Z",
"severity": "HIGH"
},
"details": "Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.",
"id": "GHSA-ww4w-r53v-2m63",
"modified": "2022-05-17T00:28:36Z",
"published": "2022-05-17T00:28:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2988"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN81207766/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000120.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76531"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWRQ-59MQ-V8W2
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-06-02 00:00A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. This flaw allows an attacker with a certificate signed by a Certificate Authority, which is not the one accepted by the stunnel server, to access the tunneled service instead of being redirected to the address specified in the redirect option. The highest threat from this vulnerability is to confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-20230"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-23T17:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. This flaw allows an attacker with a certificate signed by a Certificate Authority, which is not the one accepted by the stunnel server, to access the tunneled service instead of being redirected to the address specified in the redirect option. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-wwrq-59mq-v8w2",
"modified": "2022-06-02T00:00:23Z",
"published": "2022-05-24T17:42:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20230"
},
{
"type": "WEB",
"url": "https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925226"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXV5-Q299-W25J
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30A vulnerability was reported in the Lenovo LeCloud client application that, under certain conditions, could allow information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-10699"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T15:16:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability was reported in the Lenovo LeCloud client application that, under certain conditions, could allow information disclosure.",
"id": "GHSA-wxv5-q299-w25j",
"modified": "2025-10-15T15:30:29Z",
"published": "2025-10-15T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10699"
},
{
"type": "WEB",
"url": "https://iknow.lenovo.com.cn/detail/432379"
},
{
"type": "WEB",
"url": "https://lecloud.lenovo.com/index"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WXVR-H7G5-RFC7
Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2025-04-12 13:04The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
{
"affected": [],
"aliases": [
"CVE-2015-8960"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-21T02:59:00Z",
"severity": "HIGH"
},
"details": "The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the \"Key Compromise Impersonation (KCI)\" issue.",
"id": "GHSA-wxvr-h7g5-rfc7",
"modified": "2025-04-12T13:04:24Z",
"published": "2022-05-14T03:15:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8960"
},
{
"type": "WEB",
"url": "https://kcitls.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180626-0002"
},
{
"type": "WEB",
"url": "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf"
},
{
"type": "WEB",
"url": "http://twitter.com/matthew_d_green/statuses/630908726950674433"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/09/20/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2MC-PW6Q-5PV7
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync.
{
"affected": [],
"aliases": [
"CVE-2016-20011"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-25T21:15:00Z",
"severity": "HIGH"
},
"details": "libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync.",
"id": "GHSA-x2mc-pw6q-5pv7",
"modified": "2022-05-24T19:03:09Z",
"published": "2022-05-24T19:03:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20011"
},
{
"type": "WEB",
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=772647"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libgrss/-/issues/4"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7.patch"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X2R9-67W9-58FR
Vulnerability from github – Published: 2022-05-02 06:22 – Updated: 2024-02-14 18:30OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform arithmetic, which allows remote attackers to bypass X.509 certificate authentication via an arbitrary certificate issued by a legitimate Certification Authority.
{
"affected": [],
"aliases": [
"CVE-2010-1378"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-11-15T23:00:00Z",
"severity": "HIGH"
},
"details": "OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform arithmetic, which allows remote attackers to bypass X.509 certificate authentication via an arbitrary certificate issued by a legitimate Certification Authority.",
"id": "GHSA-x2r9-67w9-58fr",
"modified": "2024-02-14T18:30:24Z",
"published": "2022-05-02T06:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1378"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4435"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.