CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
CVE-2021-22939 (GCVE-0-2021-22939)
Vulnerability from cvelistv5 – Published: 2021-08-16 00:00 – Updated: 2025-04-30 22:24- CWE-295 - Improper Certificate Validation (CWE-295)
| Vendor | Product | Version | |
|---|---|---|---|
| NodeJS | Node |
Affected:
4.0 , < 4.*
(semver)
Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.22.5 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.17.5 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.6.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1278254"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210917-0003/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"
},
{
"name": "GLSA-202401-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202401-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.22.5",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.17.5",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.6.2",
"status": "affected",
"version": "16.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "Improper Certificate Validation (CWE-295)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:24:36.404Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/"
},
{
"url": "https://hackerone.com/reports/1278254"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210917-0003/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"
},
{
"name": "GLSA-202401-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202401-02"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22939",
"datePublished": "2021-08-16T00:00:00.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2025-04-30T22:24:36.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22895 (GCVE-0-2021-22895)
Vulnerability from cvelistv5 – Published: 2021-06-11 15:49 – Updated: 2024-08-03 18:58- CWE-295 - Improper Certificate Validation (CWE-295)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/903424 | x_refsource_MISC |
| https://github.com/nextcloud/desktop/pull/2926 | x_refsource_MISC |
| https://github.com/nextcloud/desktop/releases/tag… | x_refsource_MISC |
| https://github.com/nextcloud/security-advisories/… | x_refsource_MISC |
| https://www.debian.org/security/2021/dsa-4974 | vendor-advisoryx_refsource_DEBIAN |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Desktop Client |
Affected:
Fixed in 3.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:25.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/903424"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/desktop/pull/2926"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/desktop/releases/tag/v3.1.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5"
},
{
"name": "DSA-4974",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4974"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Desktop Client",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 3.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the \"Register with a Provider\" flow."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "Improper Certificate Validation (CWE-295)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-19T23:06:09.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/903424"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/desktop/pull/2926"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/desktop/releases/tag/v3.1.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5"
},
{
"name": "DSA-4974",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4974"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2021-22895",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Desktop Client",
"version": {
"version_data": [
{
"version_value": "Fixed in 3.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the \"Register with a Provider\" flow."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/903424",
"refsource": "MISC",
"url": "https://hackerone.com/reports/903424"
},
{
"name": "https://github.com/nextcloud/desktop/pull/2926",
"refsource": "MISC",
"url": "https://github.com/nextcloud/desktop/pull/2926"
},
{
"name": "https://github.com/nextcloud/desktop/releases/tag/v3.1.3",
"refsource": "MISC",
"url": "https://github.com/nextcloud/desktop/releases/tag/v3.1.3"
},
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5",
"refsource": "MISC",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5"
},
{
"name": "DSA-4974",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4974"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22895",
"datePublished": "2021-06-11T15:49:38.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:58:25.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22511 (GCVE-0-2021-22511)
Vulnerability from cvelistv5 – Published: 2021-04-08 21:27 – Updated: 2024-08-03 18:44- CWE-295 - Improper Certificate Validation.
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2021-04-… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Micro Focus Application Automation Tools Plugin - Jenkins plugin. |
Affected:
6.7 and earlier versions.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:44:13.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2176"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Micro Focus Application Automation Tools Plugin - Jenkins plugin.",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier versions."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-08T21:27:24.000Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2176"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"ID": "CVE-2021-22511",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Micro Focus Application Automation Tools Plugin - Jenkins plugin.",
"version": {
"version_data": [
{
"version_value": "6.7 and earlier versions."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2176",
"refsource": "MISC",
"url": "https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2176"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2021-22511",
"datePublished": "2021-04-08T21:27:24.000Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:44:13.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22278 (GCVE-0-2021-22278)
Vulnerability from cvelistv5 – Published: 2021-10-28 12:45 – Updated: 2024-09-16 18:23- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_MISC |
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ABB | PCM600 |
Affected:
2.7 , < unspecified
(custom)
Affected: unspecified , ≤ 2.10 (custom) |
|
| ABB | PCM600 Update Manager |
Affected:
2.1
Affected: 2.1.0.4 Affected: 2.2 Affected: 2.2.0.1 Affected: 2.2.0.2 Affected: 2.2.0.23 Affected: 2.3.0.60 Affected: 2.4.20041.1 Affected: 2.4.20119.2 |
|
| Hitachi Energy | PCM600 |
Affected:
2.7 , < unspecified
(custom)
Affected: unspecified , ≤ 2.10 (custom) |
|
| Hitachi Energy | PCM600 Update Manager |
Affected:
2.1
Affected: 2.1.0.4 Affected: 2.2 Affected: 2.2.0.1 Affected: 2.2.0.2 Affected: 2.2.0.23 Affected: 2.3.0.60 Affected: 2.4.20041.1 Affected: 2.4.20119.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:37:18.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PCM600",
"vendor": "ABB",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.7",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "PCM600 Update Manager",
"vendor": "ABB",
"versions": [
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.1.0.4"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.2.0.1"
},
{
"status": "affected",
"version": "2.2.0.2"
},
{
"status": "affected",
"version": "2.2.0.23"
},
{
"status": "affected",
"version": "2.3.0.60"
},
{
"status": "affected",
"version": "2.4.20041.1"
},
{
"status": "affected",
"version": "2.4.20119.2"
}
]
},
{
"product": "PCM600",
"vendor": "Hitachi Energy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.7",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "PCM600 Update Manager",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.1.0.4"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.2.0.1"
},
{
"status": "affected",
"version": "2.2.0.2"
},
{
"status": "affected",
"version": "2.2.0.23"
},
{
"status": "affected",
"version": "2.3.0.60"
},
{
"status": "affected",
"version": "2.4.20041.1"
},
{
"status": "affected",
"version": "2.4.20119.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."
}
],
"datePublic": "2021-10-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-28T12:45:58.000Z",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2021-10-19T10:02:00.000Z",
"ID": "CVE-2021-22278",
"STATE": "PUBLIC",
"TITLE": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PCM600",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.7"
},
{
"version_affected": "\u003c=",
"version_value": "2.10"
}
]
}
},
{
"product_name": "PCM600 Update Manager",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.1"
},
{
"version_affected": "=",
"version_value": "2.1.0.4"
},
{
"version_affected": "=",
"version_value": "2.2"
},
{
"version_affected": "=",
"version_value": "2.2.0.1"
},
{
"version_affected": "=",
"version_value": "2.2.0.2"
},
{
"version_affected": "=",
"version_value": "2.2.0.23"
},
{
"version_affected": "=",
"version_value": "2.3.0.60"
},
{
"version_affected": "=",
"version_value": "2.4.20041.1"
},
{
"version_affected": "=",
"version_value": "2.4.20119.2"
}
]
}
}
]
},
"vendor_name": "ABB"
},
{
"product": {
"product_data": [
{
"product_name": "PCM600",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.7"
},
{
"version_affected": "\u003c=",
"version_value": "2.10"
}
]
}
},
{
"product_name": "PCM600 Update Manager",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.1"
},
{
"version_affected": "=",
"version_value": "2.1.0.4"
},
{
"version_affected": "=",
"version_value": "2.2"
},
{
"version_affected": "=",
"version_value": "2.2.0.1"
},
{
"version_affected": "=",
"version_value": "2.2.0.2"
},
{
"version_affected": "=",
"version_value": "2.2.0.23"
},
{
"version_affected": "=",
"version_value": "2.3.0.60"
},
{
"version_affected": "=",
"version_value": "2.4.20041.1"
},
{
"version_affected": "=",
"version_value": "2.4.20119.2"
}
]
}
}
]
},
"vendor_name": "Hitachi Energy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"solution": [
{
"lang": "en",
"value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2021-22278",
"datePublished": "2021-10-28T12:45:58.086Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:23:59.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22138 (GCVE-0-2021-22138)
Vulnerability from cvelistv5 – Published: 2021-05-13 17:35 – Updated: 2024-08-03 18:30- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://discuss.elastic.co/t/elastic-stack-7-12-0… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021062… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Elastic | Elasticsearch |
Affected:
after 6.4.0 and before 6.8.15 and 7.12.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:24.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210629-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Elasticsearch",
"vendor": "Elastic",
"versions": [
{
"status": "affected",
"version": "after 6.4.0 and before 6.8.15 and 7.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-29T09:06:14.000Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210629-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2021-22138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Elasticsearch",
"version": {
"version_data": [
{
"version_value": "after 6.4.0 and before 6.8.15 and 7.12.0"
}
]
}
}
]
},
"vendor_name": "Elastic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125",
"refsource": "MISC",
"url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210629-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210629-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2021-22138",
"datePublished": "2021-05-13T17:35:19.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:30:24.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21959 (GCVE-0-2021-21959)
Vulnerability from cvelistv5 – Published: 2022-02-04 22:29 – Updated: 2025-04-15 19:10- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://talosintelligence.com/vulnerability_repor… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:23.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1388"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-21959",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T18:19:09.839388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T19:10:31.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sealevel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Sealevel Systems, Inc. SeaConnect 370W v1.3.34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads to control of device functionality."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-04T22:29:09.000Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1388"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2021-21959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sealevel",
"version": {
"version_data": [
{
"version_value": "Sealevel Systems, Inc. SeaConnect 370W v1.3.34"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads to control of device functionality."
}
]
},
"impact": {
"cvss": {
"baseScore": 7.7,
"baseSeverity": "High",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1388",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1388"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2021-21959",
"datePublished": "2022-02-04T22:29:09.000Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2025-04-15T19:10:31.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21571 (GCVE-0-2021-21571)
Vulnerability from cvelistv5 – Published: 2021-06-24 17:00 – Updated: 2024-09-16 17:14- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/000188682 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | UEFI BIOS https stack |
Affected:
Gen 11, Gen 10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:23.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000188682"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UEFI BIOS https stack",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "Gen 11, Gen 10"
}
]
}
],
"datePublic": "2021-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T17:00:14.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000188682"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2021-06-24",
"ID": "CVE-2021-21571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UEFI BIOS https stack",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Gen 11, Gen 10"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.9,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/kbdoc/en-us/000188682",
"refsource": "MISC",
"url": "https://www.dell.com/support/kbdoc/en-us/000188682"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2021-21571",
"datePublished": "2021-06-24T17:00:15.004Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:14:18.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21559 (GCVE-0-2021-21559)
Vulnerability from cvelistv5 – Published: 2021-06-08 18:05 – Updated: 2024-09-17 01:51- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00018663… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:23.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NetWorker",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.4.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell EMC NetWorker, versions 18.x, 19.1.x, 19.2.x 19.3.x, 19.4, and 19.4.0.1 contain an Improper Certificate Validation vulnerability in the client (NetWorker Management Console) components which uses SSL encrypted connection in order to communicate with the application server. An unauthenticated attacker in the same network collision domain as the NetWorker Management Console client could potentially exploit this vulnerability to perform man-in-the-middle attacks to intercept and tamper the traffic between the client and the application server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T18:05:47.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2021-05-13",
"ID": "CVE-2021-21559",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NetWorker",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.4.0.2"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell EMC NetWorker, versions 18.x, 19.1.x, 19.2.x 19.3.x, 19.4, and 19.4.0.1 contain an Improper Certificate Validation vulnerability in the client (NetWorker Management Console) components which uses SSL encrypted connection in order to communicate with the application server. An unauthenticated attacker in the same network collision domain as the NetWorker Management Console client could potentially exploit this vulnerability to perform man-in-the-middle attacks to intercept and tamper the traffic between the client and the application server."
}
]
},
"impact": {
"cvss": {
"baseScore": 7.1,
"baseSeverity": "High",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2021-21559",
"datePublished": "2021-06-08T18:05:47.368Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:51:32.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21548 (GCVE-0-2021-21548)
Vulnerability from cvelistv5 – Published: 2023-03-17 05:07 – Updated: 2025-02-26 14:56- CWE-295 - Improper Certificate Validation
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-uk/00018960… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Unisphere for PowerMax, Dell EMC Unisphere for PowerMax Virtual Appliance , PowerMax OS |
Affected:
Versions before 9.1.0.27
Affected: 5978 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:22.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-uk/000189606/dsa-2021-134-dell-emc-unisphere-for-powermax-dell-emc-unisphere-for-powermax-virtual-appliance-dell-emc-solutions-enabler-virtual-appliance-and-dell-emc-powermax-embedded-management-security-update-for-multiple-third-party-component-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-21548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T14:54:45.735135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T14:56:10.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unisphere for PowerMax, Dell EMC Unisphere for PowerMax Virtual Appliance , PowerMax OS",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "Versions before 9.1.0.27"
},
{
"status": "affected",
"version": "5978"
}
]
}
],
"datePublic": "2021-07-22T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim\u0027s traffic to view or modify a victim\u2019s data in transit.\u003c/span\u003e\n\n"
}
],
"value": "\nDell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim\u0027s traffic to view or modify a victim\u2019s data in transit.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T05:07:42.867Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-uk/000189606/dsa-2021-134-dell-emc-unisphere-for-powermax-dell-emc-unisphere-for-powermax-virtual-appliance-dell-emc-solutions-enabler-virtual-appliance-and-dell-emc-powermax-embedded-management-security-update-for-multiple-third-party-component-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2021-21548",
"datePublished": "2023-03-17T05:07:42.867Z",
"dateReserved": "2021-01-04T15:38:42.784Z",
"dateUpdated": "2025-02-26T14:56:10.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21385 (GCVE-0-2021-21385)
Vulnerability from cvelistv5 – Published: 2021-03-24 20:45 – Updated: 2024-08-03 18:09| URL | Tags |
|---|---|
| https://github.com/openMF/mifos-mobile/security/a… | x_refsource_CONFIRM |
| https://openmf.github.io/mobileapps.github.io/ | x_refsource_MISC |
| https://github.com/openMF/mifos-mobile/commit/e50… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| openMF | mifos-mobile |
Affected:
<= 7ed4f22
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://openmf.github.io/mobileapps.github.io/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mifos-mobile",
"vendor": "openMF",
"versions": [
{
"status": "affected",
"version": "\u003c= 7ed4f22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297: Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-24T20:45:17.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://openmf.github.io/mobileapps.github.io/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"
}
],
"source": {
"advisory": "GHSA-9657-33wf-rmvx",
"discovery": "UNKNOWN"
},
"title": "Disabled hostname verification and accepting self-signed certificates",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21385",
"STATE": "PUBLIC",
"TITLE": "Disabled hostname verification and accepting self-signed certificates"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mifos-mobile",
"version": {
"version_data": [
{
"version_value": "\u003c= 7ed4f22"
}
]
}
}
]
},
"vendor_name": "openMF"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-297: Improper Validation of Certificate with Host Mismatch"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx",
"refsource": "CONFIRM",
"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"
},
{
"name": "https://openmf.github.io/mobileapps.github.io/",
"refsource": "MISC",
"url": "https://openmf.github.io/mobileapps.github.io/"
},
{
"name": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d",
"refsource": "MISC",
"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"
}
]
},
"source": {
"advisory": "GHSA-9657-33wf-rmvx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21385",
"datePublished": "2021-03-24T20:45:17.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:15.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.