Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-2QXW-7FMX-GQFM

Vulnerability from github – Published: 2026-02-02 06:30 – Updated: 2026-03-27 00:31
VLAI
Summary
foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set
Details

A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "foreman_kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T21:15:40Z",
    "nvd_published_at": "2026-02-02T06:16:20Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information.",
  "id": "GHSA-2qxw-7fmx-gqfm",
  "modified": "2026-03-27T00:31:20Z",
  "published": "2026-02-02T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1531"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theforeman/foreman_kubevirt/commit/6c9973ee59c6fbec65f165eb9ea9dd4ebb6eeef1"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5968"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5970"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5971"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1531"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/foreman_kubevirt/CVE-2026-1531.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/theforeman/foreman_kubevirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set"
}

GHSA-2R56-QGV4-C7WJ

Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30
VLAI
Details

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of their authority due to improper token validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T14:16:21Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of their authority due to improper token validation.",
  "id": "GHSA-2r56-qgv4-c7wj",
  "modified": "2026-06-22T15:30:43Z",
  "published": "2026-06-22T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2669"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7277112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2R8V-P65X-3663

Vulnerability from github – Published: 2026-07-01 20:32 – Updated: 2026-07-01 20:32
VLAI
Summary
QUIC has Broken TLS verification
Details

Impact

The QUIC client did not authenticate the server during the TLS 1.3 handshake. The CertificateVerify signature was not checked, the certificate chain was not validated, and the hostname was not compared against the certificate, so verify was effectively a no-op on the client. A man-in-the-middle on the network path could present any certificate and impersonate any server, defeating the confidentiality and integrity of the connection. HTTP/3 uses the same client and was equally affected. Handshakes authenticated by a PSK (session resumption) are not affected, because the peer is authenticated by the PSK binder and no certificate is sent.

Patches

Fixed in 1.4.4. The client now verifies the CertificateVerify signature, validates the certificate chain against the trust store (cacerts option, the operating system store by default), and checks the hostname. Client verify now defaults to on; set verify => false to accept any certificate (for example a self-signed test server).

Workarounds

None before 1.4.4. verify => true had no effect, and inspecting the certificate after connecting does not help because without the signature check the peer is never proven to own the certificate it presents.

Credit

Reported by benmmurphy.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.3"
      },
      "package": {
        "ecosystem": "Hex",
        "name": "quic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-297"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:32:34Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe QUIC client did not authenticate the server during the TLS 1.3 handshake. The CertificateVerify signature was not checked, the certificate chain was not validated, and the hostname was not compared against the certificate, so `verify` was effectively a no-op on the client. A man-in-the-middle on the network path could present any certificate and impersonate any server, defeating the confidentiality and integrity of the connection. HTTP/3 uses the same client and was equally affected. Handshakes authenticated by a PSK (session resumption) are not affected, because the peer is authenticated by the PSK binder and no certificate is sent.\n\n### Patches\n\nFixed in 1.4.4. The client now verifies the CertificateVerify signature, validates the certificate chain against the trust store (`cacerts` option, the operating system store by default), and checks the hostname. Client `verify` now defaults to on; set `verify =\u003e false` to accept any certificate (for example a self-signed test server).\n\n### Workarounds\n\nNone before 1.4.4. `verify =\u003e true` had no effect, and inspecting the certificate after connecting does not help because without the signature check the peer is never proven to own the certificate it presents.\n\n### Credit\n\nReported by benmmurphy.",
  "id": "GHSA-2r8v-p65x-3663",
  "modified": "2026-07-01T20:32:34Z",
  "published": "2026-07-01T20:32:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/erlang_quic/security/advisories/GHSA-2r8v-p65x-3663"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/erlang_quic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "QUIC has Broken TLS verification"
}

GHSA-2R97-CVGM-W9RP

Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-05-14 03:40
VLAI
Details

An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T10:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.",
  "id": "GHSA-2r97-cvgm-w9rp",
  "modified": "2022-05-14T03:40:37Z",
  "published": "2022-05-14T03:40:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12721"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100665"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RC4-7JC6-QFFH

Vulnerability from github – Published: 2026-05-14 13:13 – Updated: 2026-06-08 23:36
VLAI
Summary
Fleet has a Windows MDM management endpoint authentication bypass
Details

Summary

A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data.

Impact

Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted.

As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles.

This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device.

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.81.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:13:11Z",
    "nvd_published_at": "2026-05-14T19:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA vulnerability in Fleet\u2019s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data.\n\n### Impact\n\nFleet\u2019s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted.\n\nAs a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles.\n\nThis issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
  "id": "GHSA-2rc4-7jc6-qffh",
  "modified": "2026-06-08T23:36:07Z",
  "published": "2026-05-14T13:13:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-2rc4-7jc6-qffh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/commit/3ff8119ab8f794806a4cc82e21f760c123d92966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet has a Windows MDM management endpoint authentication bypass"
}

GHSA-2RM4-33M8-3GR6

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2025-04-20 03:37
VLAI
Details

The Electronic Funds Source (EFS) Mobile Driver Source app 2.5 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-05T07:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Electronic Funds Source (EFS) Mobile Driver Source app 2.5 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-2rm4-33m8-3gr6",
  "modified": "2025-04-20T03:37:14Z",
  "published": "2022-05-17T02:45:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5909"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2V5C-755P-P4GV

Vulnerability from github – Published: 2020-07-31 17:40 – Updated: 2023-05-16 16:01
VLAI
Summary
Missing TLS certificate verification in faye-websocket
Details

The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.

This has been a requested feature in EventMachine for many years now; see for example #275, #378, and #814. In June 2020, em-http-request published an advisory related to this problem and fixed it by implementing TLS verification in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called ssl_verify_peer. Based on this implementation, we have incorporated similar functionality into faye-websocket for Ruby, such that we use the OpenSSL module to perform two checks:

  • The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime
  • The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy's hostname

After implementing verification in v1.1.6, em-http-request has elected to leave the :verify_peer option switched off by default. We have decided to enable this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that all clients have TLS verification turned on by default. A client that is not carrying out verification is either:

  • talking to the expected server, and will not break under this change
  • being attacked, and would benefit from being alerted to this fact
  • deliberately talking to a server that would be rejected by verification

The latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be "working by accident", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the Faye::WebSocket::Client constructor: tls.root_cert_file, and tls.verify_peer.

The :root_cert_file option lets you provide a different set of root certificates in situations where you don't want to use your system's default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  root_cert_file: 'path/to/certificate.pem'
})

The :verify_peer option lets you turn verification off entirely. This should be a last resort and we recommend using the :root_cert_file option if possible.

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  verify_peer: false
})

To get the new behaviour, please upgrade to v0.11.0 of the Rubygems package. There are, unfortunately, no workarounds for this issue, as you cannot enable :verify_peer in EventMachine unless the calling library contains an implementation of ssl_verify_peer that actually checks the server's certificates.

For further background information on this issue, please see faye#524 and faye-websocket#129. We would like to thank Tero Marttila and Daniel Morsing for providing invaluable assistance and feedback on this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "faye-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-31T17:39:00Z",
    "nvd_published_at": "2020-07-31T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.\n\nThis has been a requested feature in EventMachine for many years now; see for example [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6] published an [advisory][7] related to this problem and fixed it by [implementing TLS verification][8] in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called [`ssl_verify_peer`][9]. Based on this implementation, we have incorporated similar functionality into [faye-websocket for Ruby][10], such that we use the `OpenSSL` module to perform two checks:\n\n- The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime\n- The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy\u0027s hostname\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave the `:verify_peer` option switched off by default. We have decided to _enable_ this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that\nall clients have TLS verification turned on by default. A client that is not carrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be \"working by accident\", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and `tls.verify_peer`.\n\nThe `:root_cert_file` option lets you provide a different set of root certificates in situations where you don\u0027t want to use your system\u0027s default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  root_cert_file: \u0027path/to/certificate.pem\u0027\n})\n```\n\nThe `:verify_peer` option lets you turn verification off entirely. This should be a last resort and we recommend using the `:root_cert_file` option if possible.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  verify_peer: false\n})\n```\n\nTo get the new behaviour, please upgrade to v0.11.0 of the [Rubygems package][10]. There are, unfortunately, no workarounds for this issue, as you cannot enable `:verify_peer` in EventMachine unless the calling library contains an implementation of `ssl_verify_peer` that actually checks the server\u0027s certificates.\n\nFor further background information on this issue, please see [faye#524][12] and [faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel Morsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing",
  "id": "GHSA-2v5c-755p-p4gv",
  "modified": "2023-05-16T16:01:20Z",
  "published": "2020-07-31T17:40:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/issues/275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/issues/814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye/issues/524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/pull/378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye-websocket-ruby/pull/129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igrigorik/em-http-request/pull/340"
    },
    {
      "type": "WEB",
      "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faye/faye-websocket-ruby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye-websocket/CVE-2020-15133.yml"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request"
    },
    {
      "type": "WEB",
      "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer"
    },
    {
      "type": "WEB",
      "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing TLS certificate verification in faye-websocket"
}

GHSA-2V64-WGMH-WHP9

Vulnerability from github – Published: 2025-01-23 03:30 – Updated: 2025-01-23 03:30
VLAI
Details

BigFix Patch Download Plug-ins are affected by an insecure protocol support. The application can allow improper handling of SSL certificates validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T03:15:08Z",
    "severity": "LOW"
  },
  "details": "BigFix Patch Download Plug-ins are affected by an insecure protocol support.  The application can allow improper handling of SSL certificates validation.",
  "id": "GHSA-2v64-wgmh-whp9",
  "modified": "2025-01-23T03:30:54Z",
  "published": "2025-01-23T03:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42186"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0118565"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VFX-6MJQ-9CCV

Vulnerability from github – Published: 2022-05-17 00:35 – Updated: 2022-05-17 00:35
VLAI
Details

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-5263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-25T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "pulp-consumer-client 2.4.0 through 2.6.3 does not check the server\u0027s TLS certificate signatures when retrieving the server\u0027s public key upon registration.",
  "id": "GHSA-2vfx-6mjq-9ccv",
  "modified": "2022-05-17T00:35:08Z",
  "published": "2022-05-17T00:35:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103"
    },
    {
      "type": "WEB",
      "url": "http://cve.killedkenny.io/cve/CVE-2015-5263"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/09/24/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WGW-4X82-63XQ

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-09T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation.",
  "id": "GHSA-2wgw-4x82-63xq",
  "modified": "2022-05-24T19:20:08Z",
  "published": "2022-05-24T19:20:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NICMx/FORT-validator/commit/274dc14aed1eb9b3350029d1063578a6b9c77b54"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NICMx/FORT-validator/commit/425e0f4037b4543fe8044ac96ca71d6d02d7d8c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NICMx/FORT-validator/commit/673c679b6bf3f4187cd5242c31a795bf8a6c22b3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NICMx/FORT-validator/commit/eb68ebbaab50f3365aa51bbaa17cb862bf4607fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NICMx/FORT-validator/releases/tag/1.5.2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.