Vulnerabilities (CVE)

Filtered by CWE-295
Total 885 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0466 1 Openssl 1 Openssl 2023-09-28 N/A 5.3 MEDIUM
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
CVE-2023-41991 1 Apple 4 Ipad Os, Iphone Os, Macos and 1 more 2023-09-27 N/A 5.5 MEDIUM
A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
CVE-2023-38353 1 Minitool 1 Power Data Recovery 2023-09-25 N/A 5.9 MEDIUM
MiniTool Power Data Recovery version 11.6 and before contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.
CVE-2023-38354 1 Minitool 1 Movie Maker 2023-09-25 N/A 8.1 HIGH
MiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.
CVE-2023-38356 1 Minitool 1 Power Data Recovery 2023-09-22 N/A 8.1 HIGH
MiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.
CVE-2023-38355 1 Minitool 1 Movie Maker 2023-09-22 N/A 8.1 HIGH
MiniTool Movie Maker 6.1.0 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.
CVE-2023-38351 1 Minitool 1 Partition Wizard 2023-09-22 N/A 8.1 HIGH
MiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack.
CVE-2023-38352 1 Minitool 1 Partition Wizard 2023-09-22 N/A 8.1 HIGH
MiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack.
CVE-2023-1409 3 Apple, Microsoft, Mongodb 3 Macos, Windows, Mongodb 2023-09-21 N/A 7.5 HIGH
If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.
CVE-2023-4801 1 Proofpoint 1 Insider Threat Management 2023-09-15 N/A 7.5 HIGH
An improper certification validation vulnerability in the Insider Threat Management (ITM) Agent for MacOS could be used by an anonymous actor on an adjacent network to establish a man-in-the-middle position between the agent and the ITM server after the agent has registered. All versions prior to 7.14.3.69 are affected. Agents for Windows, Linux, and Cloud are unaffected.
CVE-2023-35845 2 Anaconda, Linux 2 Anaconda3, Linux Kernel 2023-09-13 N/A 4.7 MEDIUM
Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected.
CVE-2021-44273 1 E2bn 1 E2guardian 2023-09-13 5.8 MEDIUM 7.4 HIGH
e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks.
CVE-2023-30729 1 Samsung 1 Email 2023-09-08 N/A 7.5 HIGH
Improper Certificate Validation in Samsung Email prior to version 6.1.82.0 allows remote attacker to intercept the network traffic including sensitive information.
CVE-2023-41180 1 Apache 1 Nifi Minifi C\+\+ 2023-09-08 N/A 5.9 MEDIUM
Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling verification by default, when using HTTPS. Mitigation: Set the Disable Peer Verification property of InvokeHTTP to true when using MiNiFi C++ versions 0.13.0 or 0.14.0. Upgrading to MiNiFi C++ 0.15.0 corrects the default behavior.
CVE-2022-22305 1 Fortinet 4 Fortianalyzer, Fortimanager, Fortios and 1 more 2023-09-07 N/A 4.2 MEDIUM
An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
CVE-2023-39441 1 Apache 3 Airflow, Apache-airflow-providers-imap, Apache-airflow-providers-smtp 2023-08-29 N/A 5.9 MEDIUM
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability
CVE-2023-33201 1 Bouncycastle 1 Bc-java 2023-08-24 N/A 5.3 MEDIUM
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CVE-2023-38325 1 Cryptography Project 1 Cryptography 2023-08-24 N/A 7.5 HIGH
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
CVE-2023-21265 1 Google 1 Android 2023-08-24 N/A 7.5 HIGH
In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2023-34410 1 Qt 1 Qt 2023-08-23 N/A 5.3 MEDIUM
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.