CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-QP87-27VX-89V7
Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. As a result, an attacker in control of the network traffic of a device could have taken control of a device by intercepting and modifying commands issued from the server to the device in a Man-in-the-Middle attack. This included the ability to inject firmware update commands into the communication and cause the device to install maliciously modified firmware.
{
"affected": [],
"aliases": [
"CVE-2018-15476"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-30T17:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. As a result, an attacker in control of the network traffic of a device could have taken control of a device by intercepting and modifying commands issued from the server to the device in a Man-in-the-Middle attack. This included the ability to inject firmware update commands into the communication and cause the device to install maliciously modified firmware.",
"id": "GHSA-qp87-27vx-89v7",
"modified": "2022-05-14T02:00:50Z",
"published": "2022-05-14T02:00:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15476"
},
{
"type": "WEB",
"url": "https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2018-15476ff.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPCH-GJF6-C9GF
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-27 18:35A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when parsed.
{
"affected": [],
"aliases": [
"CVE-2026-6450"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T21:16:27Z",
"severity": "LOW"
},
"details": "A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when parsed.",
"id": "GHSA-qpch-gjf6-c9gf",
"modified": "2026-06-27T18:35:15Z",
"published": "2026-06-25T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6450"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10239"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QQ6H-HX9Q-4FXV
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10.
{
"affected": [],
"aliases": [
"CVE-2022-1834"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker\u0027s digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker\u0027s email address was not visible. Because Thunderbird compared the invisible sender address with the signature\u0027s email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird \u003c 91.10.",
"id": "GHSA-qq6h-hx9q-4fxv",
"modified": "2025-04-16T18:31:35Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1834"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1767816"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQF3-H6HQ-FM58
Vulnerability from github – Published: 2024-10-02 18:31 – Updated: 2024-10-02 18:31A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an unauthenticated, remote attacker to intercept sensitive information from an affected device.
This vulnerability exists because the Cisco NDO Validate Peer Certificate site management feature validates the certificates for Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud Network Controller (CNC), and Cisco Nexus Dashboard only when a new site is added or an existing one is reregistered. An attacker could exploit this vulnerability by using machine-in-the-middle techniques to intercept the traffic between the affected device and Cisco NDO and then using a crafted certificate to impersonate the affected device. A successful exploit could allow the attacker to learn sensitive information during communications between these devices.
{
"affected": [],
"aliases": [
"CVE-2024-20385"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-02T17:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an unauthenticated, remote attacker to intercept sensitive information from an affected device.\u0026nbsp;\n\nThis vulnerability exists because the Cisco NDO Validate Peer Certificate site management feature validates the certificates for Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud Network Controller (CNC), and Cisco Nexus Dashboard only when a new site is added or an existing one is reregistered. An attacker could exploit this vulnerability by using machine-in-the-middle techniques to intercept the traffic between the affected device and Cisco NDO and then using a crafted certificate to impersonate the affected device. A successful exploit could allow the attacker to learn sensitive information during communications between these devices.",
"id": "GHSA-qqf3-h6hq-fm58",
"modified": "2024-10-02T18:31:32Z",
"published": "2024-10-02T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20385"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-tlsvld-FdUF3cpw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQF5-W389-F489
Vulnerability from github – Published: 2025-08-06 18:31 – Updated: 2025-08-06 18:31The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest version which is available on the Eaton download center.
{
"affected": [],
"aliases": [
"CVE-2025-48393"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T16:15:29Z",
"severity": "MODERATE"
},
"details": "The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest version which is available on the Eaton download center.",
"id": "GHSA-qqf5-w389-f489",
"modified": "2025-08-06T18:31:20Z",
"published": "2025-08-06T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48393"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1002.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QQJ3-G7MX-5P4W
Vulnerability from github – Published: 2025-10-21 20:25 – Updated: 2026-07-02 20:30Impact
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io.
In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack.
The patched version includes the following security improvements:
- NeuVector now verifies the telemetry server’s TLS certificate chain and hostname during the handshake process. This ensures that all telemetry communications occur over a trusted and verified channel.
- NeuVector limits the telemetry server’s response to 256 bytes, mitigating the risk of memory exhaustion and DoS attacks.
These security enhancements are enabled by default and require no user action.
Patches
Patched versions include release v5.4.7 and above.
Workarounds
If you cannot update to a patched version, you can temporarily disable the Report anonymous cluster data, which is enabled by default in NeuVector. To change this setting, go to Settings → Configuration → Report anonymous cluster data in the NeuVector UI.
Disabling this option prevents NeuVector from sending telemetry data to the telemetry server, which helps mitigate this vulnerability.
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the NeuVector repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/neuvector"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20230727023453-1c4957d53911"
},
{
"fixed": "0.0.0-20251020133207-084a437033b4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54470"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T20:25:21Z",
"nvd_published_at": "2025-10-30T10:15:35Z",
"severity": "HIGH"
},
"details": "### Impact\nThis vulnerability affects NeuVector deployments only when the `Report anonymous cluster data option` is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at `https://upgrades.neuvector-upgrade-responder.livestock.rancher.io`.\n\nIn affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack. \n\nThe patched version includes the following security improvements:\n- NeuVector now verifies the telemetry server\u2019s `TLS certificate chain` and `hostname` during the handshake process. This ensures that all telemetry communications occur over a trusted and verified channel.\n- NeuVector limits the telemetry server\u2019s response to `256 bytes`, mitigating the risk of memory exhaustion and DoS attacks.\n\nThese security enhancements are enabled by default and require no user action.\n\n\n### Patches\nPatched versions include release **v5.4.7** and above.\n\n### Workarounds\nIf you cannot update to a patched version, you can temporarily disable the Report anonymous cluster data, which is enabled by default in NeuVector.\nTo change this setting, go to **Settings** \u2192 **Configuration** \u2192 **Report anonymous cluster data** in the NeuVector UI.\n\nDisabling this option prevents NeuVector from sending telemetry data to the telemetry server, which helps mitigate this vulnerability.\n\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-qqj3-g7mx-5p4w",
"modified": "2026-07-02T20:30:25Z",
"published": "2025-10-21T20:25:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54470"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/commit/06424701e69bf1eb76ff90180d78853fded93021"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/commit/415737cbec581a5dc5f204fac1c78b7f29ad7dc2"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54470"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/neuvector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "NeuVector telemetry sender is vulnerable to MITM and DoS"
}
GHSA-QQPP-685P-JC24
Vulnerability from github – Published: 2026-03-05 18:31 – Updated: 2026-03-25 15:31Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true).
This issue affects RustDesk Client: through 1.4.5.
{
"affected": [],
"aliases": [
"CVE-2026-30794"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T16:16:20Z",
"severity": "CRITICAL"
},
"details": "Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true).\n\nThis issue affects RustDesk Client: through 1.4.5.",
"id": "GHSA-qqpp-685p-jc24",
"modified": "2026-03-25T15:31:24Z",
"published": "2026-03-05T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30794"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"type": "WEB",
"url": "https://github.com/rustdesk/rustdesk"
},
{
"type": "WEB",
"url": "https://www.vulsec.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QQQC-GW7P-PW85
Vulnerability from github – Published: 2026-05-05 12:31 – Updated: 2026-05-05 12:31RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others.
The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.
{
"affected": [],
"aliases": [
"CVE-2025-42611"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T11:16:31Z",
"severity": "MODERATE"
},
"details": "RouterOS provides various services that rely on correct\nverification of client and server certificates to secure confidentiality and\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\namong others.\n\n\n\nThe vulnerability lies in shared certificate validation\nlogic which uses the system certificate store that is shared and equally\ntrusted by all system services. This causes confusion of scope, allowing any\ncertificate authority present in the system-wide trust store to be trusted in\nany context (with some exceptions), allowing partial or full authentication\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others.",
"id": "GHSA-qqqc-gw7p-pw85",
"modified": "2026-05-05T12:31:37Z",
"published": "2026-05-05T12:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42611"
},
{
"type": "WEB",
"url": "https://www.cert.si/en/cve-2025-42611"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QR25-V3MP-XM3G
Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2025-04-20 03:37The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-5919"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-05T07:29:00Z",
"severity": "MODERATE"
},
"details": "The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-qr25-v3mp-xm3g",
"modified": "2025-04-20T03:37:14Z",
"published": "2022-05-17T02:45:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5919"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRF7-PH5V-MJ2V
Vulnerability from github – Published: 2025-05-06 18:30 – Updated: 2025-05-06 18:30Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.
{
"affected": [],
"aliases": [
"CVE-2025-37730"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T18:15:38Z",
"severity": "MODERATE"
},
"details": "Improper certificate validation in Logstash\u0027s TCP output could lead to a man-in-the-middle (MitM) attack in \u201cclient\u201d mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode =\u003e full was set.",
"id": "GHSA-qrf7-ph5v-mj2v",
"modified": "2025-05-06T18:30:40Z",
"published": "2025-05-06T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37730"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/logstash-8-17-6-8-18-1-and-9-0-1-security-update-esa-2025-08/377869"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.