CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1903 vulnerabilities reference this CWE, most recent first.
GHSA-XM9F-FPH8-8369
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2025-10-22 00:32In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
{
"affected": [],
"aliases": [
"CVE-2023-20963"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "HIGH"
},
"details": "In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519",
"id": "GHSA-xm9f-fph8-8369",
"modified": "2025-10-22T00:32:43Z",
"published": "2023-03-24T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20963"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-03-01"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20963"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMM7-85WH-J3JF
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-09-01 00:00Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.
{
"affected": [],
"aliases": [
"CVE-2021-43767"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T18:15:00Z",
"severity": "MODERATE"
},
"details": "Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using \u0027trust\u0027 authentication with a \u0027clientcert\u0027 requirement or to use \u0027cert\u0027 authentication, a man-in-the-middle attacker can inject false responses to the client\u0027s first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.",
"id": "GHSA-xmm7-85wh-j3jf",
"modified": "2022-09-01T00:00:22Z",
"published": "2022-08-26T00:03:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767"
},
{
"type": "WEB",
"url": "https://github.com/yandex/odyssey/issues/377,"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2021-23222"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XMQV-PFW7-QMJ7
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2023-10-26 22:18CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application.
CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection.
This issue was caused by an incomplete fix for SECURITY-937.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:electricflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10334"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-26T22:18:30Z",
"nvd_published_at": "2019-06-11T14:29:00Z",
"severity": "MODERATE"
},
"details": "CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application.\n\nCloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection.\n\nThis issue was caused by an incomplete fix for [SECURITY-937](https://www.jenkins.io/security/advisory/2019-02-19/#SECURITY-937).",
"id": "GHSA-xmqv-pfw7-qmj7",
"modified": "2023-10-26T22:18:30Z",
"published": "2022-05-24T16:47:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10334"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/electricflow-plugin/commit/d0b807d5e2de07a90d902401bae033c2907b850a"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1411"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/06/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation"
}
GHSA-XP29-43PM-7R9G
Vulnerability from github – Published: 2026-02-12 12:31 – Updated: 2026-02-12 15:32The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.
{
"affected": [],
"aliases": [
"CVE-2025-15573"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T11:15:47Z",
"severity": "CRITICAL"
},
"details": "The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.",
"id": "GHSA-xp29-43pm-7r9g",
"modified": "2026-02-12T15:32:47Z",
"published": "2026-02-12T12:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15573"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/solax"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XP43-GQWV-MMJP
Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certificates from TLS servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2019-8351"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T21:29:00Z",
"severity": "CRITICAL"
},
"details": "Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certificates from TLS servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-xp43-gqwv-mmjp",
"modified": "2022-05-14T01:15:47Z",
"published": "2022-05-14T01:15:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8351"
},
{
"type": "WEB",
"url": "https://support.heimdalsecurity.com/hc/en-us/articles/360001084158-Release-2-5-172-PROD-Update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPH7-GHPX-JXPR
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48An issue was discovered in F-Secure XFENCE and Little Flocker. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute.
{
"affected": [],
"aliases": [
"CVE-2018-10403"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T22:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in F-Secure XFENCE and Little Flocker. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute.",
"id": "GHSA-xph7-ghpx-jxpr",
"modified": "2022-05-13T01:48:47Z",
"published": "2022-05-13T01:48:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10403"
},
{
"type": "WEB",
"url": "https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XPV9-P7VG-QHRC
Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-27 21:30OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.
{
"affected": [],
"aliases": [
"CVE-2026-10098"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T22:16:59Z",
"severity": "MODERATE"
},
"details": "OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target\u0027s serial would match, returning the wrong certificate\u0027s status. The fix requires the serial lengths to be equal before comparing the serial bytes.",
"id": "GHSA-xpv9-p7vg-qhrc",
"modified": "2026-06-27T21:30:27Z",
"published": "2026-06-26T00:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10098"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10554"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XQM3-JFJ9-8PF2
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:46GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.
{
"affected": [],
"aliases": [
"CVE-2015-0294"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T16:15:00Z",
"severity": "HIGH"
},
"details": "GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.",
"id": "GHSA-xqm3-jfj9-8pf2",
"modified": "2024-04-04T02:46:56Z",
"published": "2022-05-24T17:07:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0294"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1196323"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQW6-233F-6MQ4
Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlier have an exploitable Improper certificate validation vulnerability. Successful exploitation could lead to a security bypass.
{
"affected": [],
"aliases": [
"CVE-2018-4991"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-19T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlier have an exploitable Improper certificate validation vulnerability. Successful exploitation could lead to a security bypass.",
"id": "GHSA-xqw6-233f-6mq4",
"modified": "2022-05-14T03:16:49Z",
"published": "2022-05-14T03:16:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4991"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/creative-cloud/apsb18-12.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104103"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR44-2PV4-GW8R
Vulnerability from github – Published: 2024-01-25 09:30 – Updated: 2024-01-31 21:31SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack.
{
"affected": [],
"aliases": [
"CVE-2023-33760"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-25T08:15:08Z",
"severity": "MODERATE"
},
"details": "SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack.",
"id": "GHSA-xr44-2pv4-gw8r",
"modified": "2024-01-31T21:31:03Z",
"published": "2024-01-25T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33760"
},
{
"type": "WEB",
"url": "https://github.com/twignet/splicecom"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.