CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-3C7C-8HJ4-V9QH
Vulnerability from github – Published: 2024-09-27 21:31 – Updated: 2024-09-27 21:31In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.
{
"affected": [],
"aliases": [
"CVE-2024-9160"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T19:15:10Z",
"severity": "MODERATE"
},
"details": "In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.",
"id": "GHSA-3c7c-8hj4-v9qh",
"modified": "2024-09-27T21:31:50Z",
"published": "2024-09-27T21:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9160"
},
{
"type": "WEB",
"url": "https://portal.perforce.com/s/detail/a91PA000001SXN3YAO"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3CGR-WXHV-H7XW
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-06-04 00:00LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.
{
"affected": [],
"aliases": [
"CVE-2021-25636"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T15:15:00Z",
"severity": "HIGH"
},
"details": "LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both \"X509Data\" and \"KeyValue\" children of the \"KeyInfo\" tag, which when opened caused LibreOffice to verify using the \"KeyValue\" but to report verification with the unrelated \"X509Data\" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.",
"id": "GHSA-3cgr-wxhv-h7xw",
"modified": "2022-06-04T00:00:41Z",
"published": "2022-02-25T00:01:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25636"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CQJ-J486-JHQ2
Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2025-04-20 03:33The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.
{
"affected": [],
"aliases": [
"CVE-2016-9892"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-02T23:59:00Z",
"severity": "MODERATE"
},
"details": "The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.",
"id": "GHSA-3cqj-j486-jhq2",
"modified": "2025-04-20T03:33:34Z",
"published": "2022-05-17T02:55:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9892"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Feb/68"
},
{
"type": "WEB",
"url": "http://support.eset.com/ca6333"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96462"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CQM-MF7H-PRRJ
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2025-11-13 16:34In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.squareup.okhttp3:okhttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-0341"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T16:34:06Z",
"nvd_published_at": "2021-02-10T17:15:00Z",
"severity": "HIGH"
},
"details": "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069",
"id": "GHSA-3cqm-mf7h-prrj",
"modified": "2025-11-13T16:34:06Z",
"published": "2022-05-24T17:41:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0341"
},
{
"type": "WEB",
"url": "https://github.com/square/okhttp/issues/6724"
},
{
"type": "WEB",
"url": "https://github.com/square/okhttp/pull/6741"
},
{
"type": "WEB",
"url": "https://github.com/square/okhttp/commit/f574ea2f5259d9040f264ddeb582fb1ce563f10c"
},
{
"type": "PACKAGE",
"url": "https://github.com/square/okhttp"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-02-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Square OkHttp can accept the wrong certificate"
}
GHSA-3F24-PCVM-5JQC
Vulnerability from github – Published: 2026-03-24 21:51 – Updated: 2026-03-27 22:10Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
Problem Description
When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.
So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.
Affected Versions
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
Developers should review their CA issuing practices.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33248"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:51:08Z",
"nvd_published_at": "2026-03-25T21:16:47Z",
"severity": "MODERATE"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nOne authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.\n\n### Problem Description\n\nWhen using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate\u0027s Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.\n\nThis does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely.\n\nSo this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted.\n\n### Affected Versions\n\nFixed in nats-server 2.12.6 \u0026 2.11.15\n\n### Workarounds\n\nDevelopers should review their CA issuing practices.",
"id": "GHSA-3f24-pcvm-5jqc",
"modified": "2026-03-27T22:10:38Z",
"published": "2026-03-24T21:51:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33248"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching"
}
GHSA-3F5M-RVCJ-V254
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2025-04-20 03:37The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-8943"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-15T18:29:00Z",
"severity": "MODERATE"
},
"details": "The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-3f5m-rvcj-v254",
"modified": "2025-04-20T03:37:45Z",
"published": "2022-05-13T01:06:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8943"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FJ3-2V72-XM29
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.
{
"affected": [],
"aliases": [
"CVE-2017-17944"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-20T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.",
"id": "GHSA-3fj3-2v72-xm29",
"modified": "2024-04-04T01:02:07Z",
"published": "2022-05-24T16:48:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17944"
},
{
"type": "WEB",
"url": "http://firstsight.me/2017/12/lack-of-binary-protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-several-security-issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3G46-58RQ-XQF3
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:42The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation, allowing MITM attackers to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2019-11554"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-06T16:15:00Z",
"severity": "MODERATE"
},
"details": "The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation, allowing MITM attackers to cause a denial of service.",
"id": "GHSA-3g46-58rq-xqf3",
"modified": "2024-04-04T02:42:03Z",
"published": "2022-05-24T17:02:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11554"
},
{
"type": "WEB",
"url": "https://pankajupadhyay.in/2019/12/06/audible-and-a-curious-case-of-insecure-by-default-in-adobe-sdks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3G76-F9XQ-8VP6
Vulnerability from github – Published: 2026-05-09 00:38 – Updated: 2026-06-02 22:07Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.
The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11:
- 4.3.x: SSLHelper
- 4.4.x / 4.5.x: SslChannelProvider
- 5.0.x and current master: SslContextProvider
When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.
Steps to reproduce
- Configure a Vert.x server with
setSsl(true)andsetSni(true). - Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
- Send repeated connections with distinct matching SNI values.
- Observe that the SNI cache size grows with the number of unique matching names.
What are the affected versions?
Affected released versions confirmed on origin:
- 4.3.4 through 4.3.8
- 4.4.0 through 4.4.9
- 4.5.0 through 4.5.26
- 5.0.0 through 5.0.11
Not affected by the same sink:
- 4.0.x through 4.2.x
- 4.3.0 through 4.3.3
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.4"
},
{
"last_affected": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"last_affected": "4.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.26"
},
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "4.5.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.11"
},
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6860"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-09T00:38:30Z",
"nvd_published_at": "2026-05-06T10:16:26Z",
"severity": "MODERATE"
},
"details": "Potential unbounded server-side SNI `SslContext` cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via `computeIfAbsent(serverName, ...)` in a serverName-keyed `SslContext` cache.\n\nThe implementation differs slightly by branch, but the same sink appears to be present in released versions `4.3.4` through `5.0.11`:\n- `4.3.x`: `SSLHelper`\n- `4.4.x` / `4.5.x`: `SslChannelProvider`\n- `5.0.x` and current `master`: `SslContextProvider`\n\nWhen server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of `SslContext` entries over time, leading to increasing memory consumption and possible DoS conditions.\n\n## Steps to reproduce\n\n1. Configure a Vert.x server with `setSsl(true)` and `setSni(true)`.\n2. Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.\n3. Send repeated connections with distinct matching SNI values.\n4. Observe that the SNI cache size grows with the number of unique matching names.\n\n## What are the affected versions?\n\nAffected released versions confirmed on `origin`:\n- `4.3.4` through `4.3.8`\n- `4.4.0` through `4.4.9`\n- `4.5.0` through `4.5.26`\n- `5.0.0` through `5.0.11`\n\nNot affected by the same sink:\n- `4.0.x` through `4.2.x`\n- `4.3.0` through `4.3.3`",
"id": "GHSA-3g76-f9xq-8vp6",
"modified": "2026-06-02T22:07:06Z",
"published": "2026-05-09T00:38:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-vertx/vert.x"
},
{
"type": "WEB",
"url": "https://github.com/vert-x3/wiki/wiki/4.5.27-Release-Notes"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
},
{
"type": "WEB",
"url": "https://vertx.io/blog/eclipse-vert-x-4-5-27"
},
{
"type": "WEB",
"url": "https://vertx.io/blog/eclipse-vert-x-5-0-12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Vert.x has a DoS via unbounded server-side SNI SslContext cache growth"
}
GHSA-3GG8-MC87-CQ3H
Vulnerability from github – Published: 2024-04-21 18:30 – Updated: 2024-07-03 20:40Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.
The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.
This issue affects Apache Airflow FTP Provider: before 3.7.0.
Users are recommended to upgrade to version 3.7.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29733"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T19:52:02Z",
"nvd_published_at": "2024-04-21T18:15:45Z",
"severity": "LOW"
},
"details": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.\n\nThe FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.\n\nThis issue affects Apache Airflow FTP Provider: before 3.7.0.\n\nUsers are recommended to upgrade to version 3.7.0, which fixes the issue.",
"id": "GHSA-3gg8-mc87-cq3h",
"modified": "2024-07-03T20:40:29Z",
"published": "2024-04-21T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29733"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/38266"
},
{
"type": "WEB",
"url": "https://docs.python.org/3/library/ssl.html#best-defaults"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.