Total
959 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-4586 | 2 Infinispan, Redhat | 2 Hot Rod, Data Grid | 2023-12-10 | N/A | 7.4 HIGH |
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. | |||||
CVE-2023-38352 | 1 Minitool | 1 Partition Wizard | 2023-12-10 | N/A | 8.1 HIGH |
MiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack. | |||||
CVE-2023-31580 | 1 Networknt | 1 Light-oauth2 | 2023-12-10 | N/A | 5.9 MEDIUM |
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token. | |||||
CVE-2023-38354 | 1 Minitool | 1 Shadowmaker | 2023-12-10 | N/A | 8.1 HIGH |
MiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack. | |||||
CVE-2023-35845 | 2 Anaconda, Linux | 2 Anaconda3, Linux Kernel | 2023-12-10 | N/A | 4.7 MEDIUM |
Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected. | |||||
CVE-2023-3615 | 1 Mattermost | 1 Mattermost | 2023-12-10 | N/A | 8.1 HIGH |
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | |||||
CVE-2023-38325 | 1 Cryptography Project | 1 Cryptography | 2023-12-10 | N/A | 7.5 HIGH |
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. | |||||
CVE-2023-25392 | 1 Allegro | 1 Bigflow | 2023-12-10 | N/A | 5.9 MEDIUM |
Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation. | |||||
CVE-2023-29175 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-12-10 | N/A | 4.8 MEDIUM |
An improper certificate validation vulnerability [CWE-295] in FortiOS 6.2 all versions, 6.4 all versions, 7.0.0 through 7.0.10, 7.2.0 and FortiProxy 1.2 all versions, 2.0 all versions, 7.0.0 through 7.0.9, 7.2.0 through 7.2.3 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the vulnerable device and the remote FortiGuard's map server. | |||||
CVE-2023-31485 | 1 Gitlab\ | 1 \ | 2023-12-10 | N/A | 5.9 MEDIUM |
GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks. | |||||
CVE-2023-33201 | 1 Bouncycastle | 1 Bc-java | 2023-12-10 | N/A | 5.3 MEDIUM |
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. | |||||
CVE-2023-28321 | 5 Apple, Debian, Fedoraproject and 2 more | 14 Macos, Debian Linux, Fedora and 11 more | 2023-12-10 | N/A | 5.9 MEDIUM |
An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`. | |||||
CVE-2023-20881 | 1 Cloudfoundry | 3 Capi-release, Cf-deployment, Loggregator-agent | 2023-12-10 | N/A | 8.1 HIGH |
Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection. | |||||
CVE-2023-30517 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-12-10 | N/A | 5.3 MEDIUM |
Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. | |||||
CVE-2023-31151 | 1 Selinc | 20 Sel-2241 Rtac Module, Sel-2241 Rtac Module Firmware, Sel-3350 and 17 more | 2023-12-10 | N/A | 4.2 MEDIUM |
An Improper Certificate Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote unauthenticated attacker to conduct a man-in-the-middle (MitM) attack. See SEL Service Bulletin dated 2022-11-15 for more details. | |||||
CVE-2023-23901 | 1 Seiko-sol | 4 Skybridge Basic Mb-a130, Skybridge Basic Mb-a130 Firmware, Skybridge Mb-a200 and 1 more | 2023-12-10 | N/A | 6.5 MEDIUM |
Improper following of a certificate's chain of trust exists in SkyBridge MB-A200 firmware Ver. 01.00.05 and earlier, and SkyBridge BASIC MB-A130 firmware Ver. 1.4.1 and earlier, which may allow a remote unauthenticated attacker to eavesdrop on or alter the communication sent to the WebUI of the product. | |||||
CVE-2022-47758 | 1 Nanoleaf | 1 Nanoleaf Firmware | 2023-12-10 | N/A | 9.8 CRITICAL |
Nanoleaf firmware v7.1.1 and below is missing TLS verification, allowing attackers to execute arbitrary code via a DNS hijacking attack. | |||||
CVE-2023-0547 | 1 Mozilla | 1 Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10. | |||||
CVE-2023-20963 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519 | |||||
CVE-2023-24461 | 3 Apple, F5, Microsoft | 3 Macos, Big-ip Access Policy Manager, Windows | 2023-12-10 | N/A | 5.9 MEDIUM |
An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |