CWE-599
AllowedMissing Validation of OpenSSL Certificate
Abstraction: Variant · Status: Incomplete
The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
18 vulnerabilities reference this CWE, most recent first.
CVE-2026-62657 (GCVE-0-2026-62657)
Vulnerability from cvelistv5 – Published: 2026-07-14 17:46 – Updated: 2026-07-15 16:56- CWE-599 - Missing validation of OpenSSL certificate
| URL | Tags |
|---|---|
| https://www.netgear.com/support/product/mr70/ | productpatch |
| https://www.netgear.com/support/product/raxe500/ | productpatch |
| https://www.netgear.com/support/product/ms70/ | productpatch |
| https://www.netgear.com/support/product/xr1000/ | productpatch |
| https://kb.netgear.com/000070859/July-2026-NETGEA… | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-62657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:47:08.884742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T15:12:49.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MR70",
"vendor": "NETGEAR",
"versions": [
{
"lessThan": "V1.0.4.48",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS70",
"vendor": "NETGEAR",
"versions": [
{
"lessThan": "V1.0.4.48",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "RAXE500",
"vendor": "NETGEAR",
"versions": [
{
"lessThan": "V1.2.14.114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "XR1000",
"vendor": "NETGEAR",
"versions": [
{
"lessThan": "V1.0.2.86",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "fluorescent"
}
],
"datePublic": "2026-07-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA security flaw in the router\u0027s certificate validation process was\ndiscovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that could allow an unauthorized person to remotely access and take\ncontrol of the device.\u003c/p\u003e"
}
],
"value": "A security flaw in the router\u0027s certificate validation process was\ndiscovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that could allow an unauthorized person to remotely access and take\ncontrol of the device."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-599",
"description": "CWE-599 Missing validation of OpenSSL certificate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T16:56:03.166Z",
"orgId": "a2826606-91e7-4eb6-899e-8484bd4575d5",
"shortName": "NETGEAR"
},
"references": [
{
"tags": [
"product",
"patch"
],
"url": "https://www.netgear.com/support/product/mr70/"
},
{
"tags": [
"product",
"patch"
],
"url": "https://www.netgear.com/support/product/raxe500/"
},
{
"tags": [
"product",
"patch"
],
"url": "https://www.netgear.com/support/product/ms70/"
},
{
"tags": [
"product",
"patch"
],
"url": "https://www.netgear.com/support/product/xr1000/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://kb.netgear.com/000070859/July-2026-NETGEAR-Security-Advisory"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDevices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update it to the latest. Fixed in:\u003c/p\u003e\u003ctable style=\"border-collapse:collapse;\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003eProduct\u003c/th\u003e\u003cth style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003eFixed Version\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003cb\u003eMR70\u003c/b\u003e Nighthawk Mesh WiFi 6 Router\u003c/td\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003ca href=\"https://www.netgear.com/support/product/mr70/\"\u003eV1.0.4.48\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003cb\u003eMS70\u003c/b\u003e Nighthawk Mesh WiFi 6 Add-on Satellite\u003c/td\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003ca href=\"https://www.netgear.com/support/product/ms70/\"\u003eV1.0.4.48\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003cb\u003eRAXE500\u003c/b\u003e Nighthawk AX12 12-Stream AXE11000 Tri-Band WiFi 6E Router\u003c/td\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003ca href=\"https://www.netgear.com/support/product/raxe500/\"\u003eV1.2.14.114\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003cb\u003eXR1000\u003c/b\u003e Nighthawk WiFi 6 Pro Gaming Router\u003c/td\u003e\u003ctd style=\"border:1px solid gray;padding:4px 8px;text-align:left;\"\u003e\u003ca href=\"https://www.netgear.com/support/product/xr1000/\"\u003eV1.0.2.86\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
}
],
"value": "Devices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update it to the latest. Fixed in:\n\nProductFixed VersionMR70 Nighthawk Mesh WiFi 6 Router V1.0.4.48 https://www.netgear.com/support/product/mr70/ MS70 Nighthawk Mesh WiFi 6 Add-on Satellite V1.0.4.48 https://www.netgear.com/support/product/ms70/ RAXE500 Nighthawk AX12 12-Stream AXE11000 Tri-Band WiFi 6E Router V1.2.14.114 https://www.netgear.com/support/product/raxe500/ XR1000 Nighthawk WiFi 6 Pro Gaming Router V1.0.2.86 https://www.netgear.com/support/product/xr1000/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Certificate validation vulnerability in NETGEAR Gaming Router and certain Nighthawk models",
"x_generator": {
"engine": "Vulnogram 1.0.3"
}
}
},
"cveMetadata": {
"assignerOrgId": "a2826606-91e7-4eb6-899e-8484bd4575d5",
"assignerShortName": "NETGEAR",
"cveId": "CVE-2026-62657",
"datePublished": "2026-07-14T17:46:13.757Z",
"dateReserved": "2026-07-14T16:31:02.508Z",
"dateUpdated": "2026-07-15T16:56:03.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25060 (GCVE-0-2026-25060)
Vulnerability from cvelistv5 – Published: 2026-02-02 22:26 – Updated: 2026-02-04 16:53- CWE-599 - Missing Validation of OpenSSL Certificate
| URL | Tags |
|---|---|
| https://github.com/OpenListTeam/OpenList/security… | x_refsource_CONFIRM |
| https://github.com/OpenListTeam/OpenList/commit/e… | x_refsource_MISC |
| https://github.com/OpenListTeam/OpenList/releases… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| OpenListTeam | OpenList |
Affected:
< 4.1.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:54:28.374017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:53:31.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenList",
"vendor": "OpenListTeam",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-599",
"description": "CWE-599: Missing Validation of OpenSSL Certificate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T22:26:42.421Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389"
},
{
"name": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1"
},
{
"name": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10"
}
],
"source": {
"advisory": "GHSA-wf93-3ghh-h389",
"discovery": "UNKNOWN"
},
"title": "OpenList Insecure TLS Default Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25060",
"datePublished": "2026-02-02T22:26:42.421Z",
"dateReserved": "2026-01-28T14:50:47.889Z",
"dateUpdated": "2026-02-04T16:53:31.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12553 (GCVE-0-2025-12553)
Vulnerability from cvelistv5 – Published: 2025-10-31 15:48 – Updated: 2025-10-31 18:36- CWE-599 - Missing Validation of OpenSSL Certificate
| Vendor | Product | Version | |
|---|---|---|---|
| Azure Access Technology | BLU-IC2 |
Affected:
0 , ≤ 1.19.5
(semver)
|
|
| Azure Access Technology | BLU-IC4 |
Affected:
0 , ≤ 1.19.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T18:36:48.308468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T18:36:54.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BLU-IC2",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BLU-IC4",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Schaller"
},
{
"lang": "en",
"type": "finder",
"value": "Benjamin Lafois"
},
{
"lang": "en",
"type": "finder",
"value": "Alexi Bitsios"
},
{
"lang": "en",
"type": "finder",
"value": "Sebastian Toscano"
},
{
"lang": "en",
"type": "finder",
"value": "Dominik Schneider"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Email Server Certificate Verification Disabled.\u003cp\u003eThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.\u003c/p\u003e"
}
],
"value": "Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-599",
"description": "CWE-599 Missing Validation of OpenSSL Certificate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T15:48:29.402Z",
"orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"shortName": "azure-access"
},
"references": [
{
"url": "https://azure-access.com/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server Certificate Verification Disabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"assignerShortName": "azure-access",
"cveId": "CVE-2025-12553",
"datePublished": "2025-10-31T15:48:29.402Z",
"dateReserved": "2025-10-31T15:46:01.105Z",
"dateUpdated": "2025-10-31T18:36:54.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31105 (GCVE-0-2022-31105)
Vulnerability from cvelistv5 – Published: 2022-07-12 22:05 – Updated: 2025-04-23 18:02| URL | Tags |
|---|---|
| https://github.com/argoproj/argo-cd/security/advi… | x_refsource_CONFIRM |
| https://github.com/argoproj/argo-cd/releases/tag/v2.3.6 | x_refsource_MISC |
| https://github.com/argoproj/argo-cd/releases/tag/v2.4.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:34.574172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:02:44.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 2.2.11"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.6"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-599",
"description": "CWE-599: Missing Validation of OpenSSL Certificate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T22:05:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
}
],
"source": {
"advisory": "GHSA-7943-82jg-wmw5",
"discovery": "UNKNOWN"
},
"title": "Argo CD\u0027s certificate verification is skipped for connections to OIDC providers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31105",
"STATE": "PUBLIC",
"TITLE": "Argo CD\u0027s certificate verification is skipped for connections to OIDC providers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.4.0, \u003c 2.2.11"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.6"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.5"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-599: Missing Validation of OpenSSL Certificate"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5",
"refsource": "CONFIRM",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
}
]
},
"source": {
"advisory": "GHSA-7943-82jg-wmw5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31105",
"datePublished": "2022-07-12T22:05:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:02:44.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21374 (GCVE-0-2021-21374)
Vulnerability from cvelistv5 – Published: 2021-03-26 21:25 – Updated: 2024-08-03 18:09| URL | Tags |
|---|---|
| https://consensys.net/diligence/vulnerabilities/n… | x_refsource_MISC |
| https://github.com/nim-lang/nimble/blob/master/ch… | x_refsource_MISC |
| https://github.com/nim-lang/security/security/adv… | x_refsource_CONFIRM |
| https://github.com/nim-lang/Nim/pull/16940 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nim-lang/Nim/pull/16940"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "nim-lang",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.10"
},
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 1.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, \"nimble refresh\" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-599",
"description": "CWE-599: Missing Validation of OpenSSL Certificate",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-26T21:25:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nim-lang/Nim/pull/16940"
}
],
"source": {
"advisory": "GHSA-c2wm-v66h-xhxx",
"discovery": "UNKNOWN"
},
"title": "Nimble fails to validate certificates due to insecure httpClient defaults",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21374",
"STATE": "PUBLIC",
"TITLE": "Nimble fails to validate certificates due to insecure httpClient defaults"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "security",
"version": {
"version_data": [
{
"version_value": "\u003c 1.2.10"
},
{
"version_value": "\u003e= 1.4.0, \u003c 1.4.4"
}
]
}
}
]
},
"vendor_name": "nim-lang"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, \"nimble refresh\" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-348 Use of Less Trusted Source"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-599: Missing Validation of OpenSSL Certificate"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/",
"refsource": "MISC",
"url": "https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/"
},
{
"name": "https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130",
"refsource": "MISC",
"url": "https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130"
},
{
"name": "https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx",
"refsource": "CONFIRM",
"url": "https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx"
},
{
"name": "https://github.com/nim-lang/Nim/pull/16940",
"refsource": "MISC",
"url": "https://github.com/nim-lang/Nim/pull/16940"
}
]
},
"source": {
"advisory": "GHSA-c2wm-v66h-xhxx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21374",
"datePublished": "2021-03-26T21:25:14.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:15.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2CH6-M8WH-67F2
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-11-04 00:30IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation. IBM X-Force ID: 287316.
{
"affected": [],
"aliases": [
"CVE-2024-31872"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-599"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:15Z",
"severity": "HIGH"
},
"details": "IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation. IBM X-Force ID: 287316.",
"id": "GHSA-2ch6-m8wh-67f2",
"modified": "2025-11-04T00:30:48Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31872"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287316"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7147932"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62RC-F4V9-H543
Vulnerability from github – Published: 2026-02-02 23:24 – Updated: 2026-02-03 19:01Summary
SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found.
Impact
Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container.
Impacted versions
- SageMaker Python SDK v3 < v3.1.1
- SageMaker Python SDK v2 < v2.256.0
Patches
This issue has been addressed in SageMaker Python SDK version v3.1.1 and v2.256.0. It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes.
Workarounds
Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.
References
If there are any questions or comments about this advisory, contact AWS Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sagemaker"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "sagemaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.256.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1778"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-599"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T23:24:50Z",
"nvd_published_at": "2026-02-02T23:16:04Z",
"severity": "HIGH"
},
"details": "### Summary\nSageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found.\n\n### Impact\nArbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container.\n\n### Impacted versions\n\n- SageMaker Python SDK v3 \u003c v3.1.1\n- SageMaker Python SDK v2 \u003c v2.256.0\n\n### Patches\nThis issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\nCustomers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK\u2019s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.\n\n### References\nIf there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-62rc-f4v9-h543",
"modified": "2026-02-03T19:01:03Z",
"published": "2026-02-02T23:24:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1778"
},
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-python-sdk/commit/5e7a3efa7bec0a161194ffa0cef346dda93bf2c6"
},
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-python-sdk/commit/c8098958910f7db78d07037425debfd4d44a6964"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-004-AWS"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/sagemaker-python-sdk"
},
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0"
},
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SageMaker Python SDK has Insecure TLS Configuration"
}
GHSA-785C-R7JC-9QXG
Vulnerability from github – Published: 2025-10-31 18:31 – Updated: 2025-11-10 15:31Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
{
"affected": [],
"aliases": [
"CVE-2025-12553"
],
"database_specific": {
"cwe_ids": [
"CWE-599"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T16:15:40Z",
"severity": "CRITICAL"
},
"details": "Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
"id": "GHSA-785c-r7jc-9qxg",
"modified": "2025-11-10T15:31:04Z",
"published": "2025-10-31T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12553"
},
{
"type": "WEB",
"url": "https://azure-access.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8R96-8889-QG2X
Vulnerability from github – Published: 2023-11-16 18:30 – Updated: 2025-02-06 16:05Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.2"
},
"package": {
"ecosystem": "PyPI",
"name": "httpie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48052"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-599"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-16T22:16:44Z",
"nvd_published_at": "2023-11-16T18:15:07Z",
"severity": "HIGH"
},
"details": "Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.",
"id": "GHSA-8r96-8889-qg2x",
"modified": "2025-02-06T16:05:09Z",
"published": "2023-11-16T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48052"
},
{
"type": "WEB",
"url": "https://github.com/httpie/cli/issues/1549"
},
{
"type": "WEB",
"url": "https://github.com/httpie/cli/commit/7f03c52d2237440c5a672296ce6955aae4ed4f09"
},
{
"type": "PACKAGE",
"url": "https://github.com/httpie/cli"
},
{
"type": "WEB",
"url": "https://github.com/httpie/cli/blob/master/httpie/client.py#L33"
},
{
"type": "WEB",
"url": "https://github.com/httpie/cli/blob/master/httpie/internal/update_warnings.py#L44"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/httpie/PYSEC-2023-242.yaml"
},
{
"type": "WEB",
"url": "https://gxx777.github.io/HTTPie_3.2.2_Cryptographic_API_Misuse_Vulnerability.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack"
}
GHSA-FWCQ-RJR3-7RR9
Vulnerability from github – Published: 2025-11-05 21:31 – Updated: 2025-11-07 00:30GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update requests and replace installer or update packages with malicious files.
{
"affected": [],
"aliases": [
"CVE-2025-56232"
],
"database_specific": {
"cwe_ids": [
"CWE-599"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T19:16:01Z",
"severity": "MODERATE"
},
"details": "GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update requests and replace installer or update packages with malicious files.",
"id": "GHSA-fwcq-rjr3-7rr9",
"modified": "2025-11-07T00:30:28Z",
"published": "2025-11-05T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56232"
},
{
"type": "WEB",
"url": "https://www.notion.so/CVE-2025-56232-2a04e9f2a40d80dab203e39b5c9462f6"
},
{
"type": "WEB",
"url": "https://youtu.be/WchHCmqGaFQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that proper authentication is included in the system design.
Mitigation
Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.
No CAPEC attack patterns related to this CWE.