Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-3C7C-8HJ4-V9QH

Vulnerability from github – Published: 2024-09-27 21:31 – Updated: 2024-09-27 21:31
VLAI
Details

In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T19:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.",
  "id": "GHSA-3c7c-8hj4-v9qh",
  "modified": "2024-09-27T21:31:50Z",
  "published": "2024-09-27T21:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9160"
    },
    {
      "type": "WEB",
      "url": "https://portal.perforce.com/s/detail/a91PA000001SXN3YAO"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3CGR-WXHV-H7XW

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-06-04 00:00
VLAI
Details

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both \"X509Data\" and \"KeyValue\" children of the \"KeyInfo\" tag, which when opened caused LibreOffice to verify using the \"KeyValue\" but to report verification with the unrelated \"X509Data\" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.",
  "id": "GHSA-3cgr-wxhv-h7xw",
  "modified": "2022-06-04T00:00:41Z",
  "published": "2022-02-25T00:01:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25636"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CQJ-J486-JHQ2

Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2025-04-20 03:33
VLAI
Details

The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-02T23:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate.  NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.",
  "id": "GHSA-3cqj-j486-jhq2",
  "modified": "2025-04-20T03:33:34Z",
  "published": "2022-05-17T02:55:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9892"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Feb/68"
    },
    {
      "type": "WEB",
      "url": "http://support.eset.com/ca6333"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96462"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CQM-MF7H-PRRJ

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2025-11-13 16:34
VLAI
Summary
Square OkHttp can accept the wrong certificate
Details

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.squareup.okhttp3:okhttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-0341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T16:34:06Z",
    "nvd_published_at": "2021-02-10T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069",
  "id": "GHSA-3cqm-mf7h-prrj",
  "modified": "2025-11-13T16:34:06Z",
  "published": "2022-05-24T17:41:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/okhttp/issues/6724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/okhttp/pull/6741"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/okhttp/commit/f574ea2f5259d9040f264ddeb582fb1ce563f10c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/square/okhttp"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-02-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Square OkHttp can accept the wrong certificate"
}

GHSA-3F24-PCVM-5JQC

Vulnerability from github – Published: 2026-03-24 21:51 – Updated: 2026-03-27 22:10
VLAI
Summary
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.

Problem Description

When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.

This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.

So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.

Affected Versions

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

Developers should review their CA issuing practices.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0-RC.1"
            },
            {
              "fixed": "2.12.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T21:51:08Z",
    "nvd_published_at": "2026-03-25T21:16:47Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nOne authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.\n\n### Problem Description\n\nWhen using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate\u0027s Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.\n\nThis does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely.\n\nSo this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted.\n\n### Affected Versions\n\nFixed in nats-server 2.12.6 \u0026 2.11.15\n\n### Workarounds\n\nDevelopers should review their CA issuing practices.",
  "id": "GHSA-3f24-pcvm-5jqc",
  "modified": "2026-03-27T22:10:38Z",
  "published": "2026-03-24T21:51:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33248"
    },
    {
      "type": "WEB",
      "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nats-io/nats-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching"
}

GHSA-3F5M-RVCJ-V254

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2025-04-20 03:37
VLAI
Details

The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-15T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-3f5m-rvcj-v254",
  "modified": "2025-04-20T03:37:45Z",
  "published": "2022-05-13T01:06:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8943"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FJ3-2V72-XM29

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-20T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.",
  "id": "GHSA-3fj3-2v72-xm29",
  "modified": "2024-04-04T01:02:07Z",
  "published": "2022-05-24T16:48:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17944"
    },
    {
      "type": "WEB",
      "url": "http://firstsight.me/2017/12/lack-of-binary-protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-several-security-issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3G46-58RQ-XQF3

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:42
VLAI
Details

The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation, allowing MITM attackers to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation, allowing MITM attackers to cause a denial of service.",
  "id": "GHSA-3g46-58rq-xqf3",
  "modified": "2024-04-04T02:42:03Z",
  "published": "2022-05-24T17:02:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11554"
    },
    {
      "type": "WEB",
      "url": "https://pankajupadhyay.in/2019/12/06/audible-and-a-curious-case-of-insecure-by-default-in-adobe-sdks"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3G76-F9XQ-8VP6

Vulnerability from github – Published: 2026-05-09 00:38 – Updated: 2026-06-02 22:07
VLAI
Summary
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
Details

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.

The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11: - 4.3.x: SSLHelper - 4.4.x / 4.5.x: SslChannelProvider - 5.0.x and current master: SslContextProvider

When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.

Steps to reproduce

  1. Configure a Vert.x server with setSsl(true) and setSni(true).
  2. Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
  3. Send repeated connections with distinct matching SNI values.
  4. Observe that the SNI cache size grows with the number of unique matching names.

What are the affected versions?

Affected released versions confirmed on origin: - 4.3.4 through 4.3.8 - 4.4.0 through 4.4.9 - 4.5.0 through 4.5.26 - 5.0.0 through 5.0.11

Not affected by the same sink: - 4.0.x through 4.2.x - 4.3.0 through 4.3.3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.4"
            },
            {
              "last_affected": "4.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "last_affected": "4.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.26"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.5.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-09T00:38:30Z",
    "nvd_published_at": "2026-05-06T10:16:26Z",
    "severity": "MODERATE"
  },
  "details": "Potential unbounded server-side SNI `SslContext` cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via `computeIfAbsent(serverName, ...)` in a serverName-keyed `SslContext` cache.\n\nThe implementation differs slightly by branch, but the same sink appears to be present in released versions `4.3.4` through `5.0.11`:\n- `4.3.x`: `SSLHelper`\n- `4.4.x` / `4.5.x`: `SslChannelProvider`\n- `5.0.x` and current `master`: `SslContextProvider`\n\nWhen server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of `SslContext` entries over time, leading to increasing memory consumption and possible DoS conditions.\n\n## Steps to reproduce\n\n1. Configure a Vert.x server with `setSsl(true)` and `setSni(true)`.\n2. Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.\n3. Send repeated connections with distinct matching SNI values.\n4. Observe that the SNI cache size grows with the number of unique matching names.\n\n## What are the affected versions?\n\nAffected released versions confirmed on `origin`:\n- `4.3.4` through `4.3.8`\n- `4.4.0` through `4.4.9`\n- `4.5.0` through `4.5.26`\n- `5.0.0` through `5.0.11`\n\nNot affected by the same sink:\n- `4.0.x` through `4.2.x`\n- `4.3.0` through `4.3.3`",
  "id": "GHSA-3g76-f9xq-8vp6",
  "modified": "2026-06-02T22:07:06Z",
  "published": "2026-05-09T00:38:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-vertx/vert.x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/wiki/wiki/4.5.27-Release-Notes"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
    },
    {
      "type": "WEB",
      "url": "https://vertx.io/blog/eclipse-vert-x-4-5-27"
    },
    {
      "type": "WEB",
      "url": "https://vertx.io/blog/eclipse-vert-x-5-0-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vert.x has a DoS via unbounded server-side SNI SslContext cache growth"
}

GHSA-3GG8-MC87-CQ3H

Vulnerability from github – Published: 2024-04-21 18:30 – Updated: 2024-07-03 20:40
VLAI
Summary
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider
Details

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow-providers-ftp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T19:52:02Z",
    "nvd_published_at": "2024-04-21T18:15:45Z",
    "severity": "LOW"
  },
  "details": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.\n\nThe FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.\n\nThis issue affects Apache Airflow FTP Provider: before 3.7.0.\n\nUsers are recommended to upgrade to version 3.7.0, which fixes the issue.",
  "id": "GHSA-3gg8-mc87-cq3h",
  "modified": "2024-07-03T20:40:29Z",
  "published": "2024-04-21T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/38266"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/ssl.html#best-defaults"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/04/19/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider"
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.