Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-6VCJ-R95X-WJ5W

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:32
VLAI
Details

Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-22T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.",
  "id": "GHSA-6vcj-r95x-wj5w",
  "modified": "2024-04-04T02:32:25Z",
  "published": "2022-05-24T16:59:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11674"
    },
    {
      "type": "WEB",
      "url": "https://www.netiq.com/documentation/self-service-password-reset-44/release-notes-sspr-44-p4/data/release-notes-sspr-44-p4.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WRG-CR3C-H2HF

Vulnerability from github – Published: 2024-04-02 00:30 – Updated: 2024-04-02 00:30
VLAI
Details

PDF-XChange Editor Updater Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the update functionality. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22224.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-01T22:15:15Z",
    "severity": "HIGH"
  },
  "details": "PDF-XChange Editor Updater Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is not required to exploit this vulnerability.\n\nThe specific flaw exists within the update functionality. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22224.",
  "id": "GHSA-6wrg-cr3c-h2hf",
  "modified": "2024-04-02T00:30:46Z",
  "published": "2024-04-02T00:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27323"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72C7-4G63-HPW5

Vulnerability from github – Published: 2025-10-15 20:12 – Updated: 2025-10-16 14:43
VLAI
Summary
go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents
Details

Impact

This vulnerability only affects users of the AWS attestor.

Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]

There are multiple locations where the verification of the identity document will mistakenly report a successful verification.

  • If a signature is not present or is empty https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163

  • If the RSA verification of the document fails for any reason https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196

Workarounds

The contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the openssl command line as documented in the below reference from AWS.[^2]

However, the certificate containing the public key was hard-coded into the attestor. https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66

Since the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.

Patches

This vulnerability is addressed in go-witness 0.9.1 and witness 0.10.1.

Resources

[^1]: AWS Security Bulletin on IMDS Impersonation [^2]: Verification of instance identity documents

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/in-toto/go-witness"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T20:12:56Z",
    "nvd_published_at": "2025-10-15T20:15:36Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis vulnerability only affects users of the AWS attestor.\n\nUsers of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]\n\nThere are multiple locations where the verification of the identity document will mistakenly report a successful verification.\n\n- If a signature is not present or is empty\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163\n\n- If the RSA verification of the document fails for any reason\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196\n\n### Workarounds\nThe contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the `openssl` command line as documented in the below reference from AWS.[^2]\n\nHowever, the certificate containing the public key was hard-coded into the attestor. \nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66\n\nSince the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.\n\n### Patches\nThis vulnerability is addressed in `go-witness` 0.9.1 and `witness` 0.10.1.\n\n### Resources\n[^1]: [AWS Security Bulletin on IMDS Impersonation](https://aws.amazon.com/security/security-bulletins/rss/aws-2025-021/)\n[^2]: [Verification of instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-iid.html#verify-signature)",
  "id": "GHSA-72c7-4g63-hpw5",
  "modified": "2025-10-16T14:43:47Z",
  "published": "2025-10-15T20:12:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/in-toto/go-witness"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents"
}

GHSA-72MH-269X-7MH5

Vulnerability from github – Published: 2021-05-24 19:52 – Updated: 2021-05-20 21:59
VLAI
Summary
Improper Certificate Validation in xmlhttprequest-ssl
Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xmlhttprequest-ssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T21:59:29Z",
    "nvd_published_at": "2021-04-23T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.",
  "id": "GHSA-72mh-269x-7mh5",
  "modified": "2021-05-20T21:59:29Z",
  "published": "2021-05-24T19:52:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"
    },
    {
      "type": "WEB",
      "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210618-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation in xmlhttprequest-ssl"
}

GHSA-72QJ-48G4-5XGX

Vulnerability from github – Published: 2025-05-07 17:32 – Updated: 2026-01-21 16:54
VLAI
Summary
JRuby-OpenSSL has hostname verification disabled by default
Details

Summary

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER

body = https.start { https.get(uri.request_uri).body }
puts body

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "rubygems:jruby-openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.1"
            },
            {
              "fixed": "0.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jruby:jruby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0.0"
            },
            {
              "fixed": "10.0.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jruby:jruby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.3.4.0"
            },
            {
              "fixed": "9.4.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "jruby-openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.1"
            },
            {
              "fixed": "0.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-297"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-07T17:32:54Z",
    "nvd_published_at": "2025-05-07T17:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn\u0027t complain. \n\n### Details\nn/a\n\n### PoC\nAn example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3\n\n```ruby\nrequire \"net/http\"\nrequire \"openssl\"\n\nuri   = URI(\"https://bad.substitutealert.com/\")\nhttps = Net::HTTP.new(uri.host, uri.port)\nhttps.use_ssl      = true\nhttps.verify_mode  = OpenSSL::SSL::VERIFY_PEER\n\nbody = https.start { https.get(uri.request_uri).body }\nputs body\n```\n\n### Impact\nAnybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely",
  "id": "GHSA-72qj-48g4-5xgx",
  "modified": "2026-01-21T16:54:31Z",
  "published": "2025-05-07T17:32:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jruby/jruby-openssl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JRuby-OpenSSL has hostname verification disabled by default"
}

GHSA-72X2-RJXM-55P4

Vulnerability from github – Published: 2025-07-11 06:30 – Updated: 2025-07-11 06:30
VLAI
Details

The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T06:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The communication protocol used between client\nand server had a flaw that could be leveraged to execute a man in the middle attack.",
  "id": "GHSA-72x2-rjxm-55p4",
  "modified": "2025-07-11T06:30:30Z",
  "published": "2025-07-11T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30024"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72X5-8V8J-3PMX

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the update functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-19981.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:34Z",
    "severity": "HIGH"
  },
  "details": "NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the update functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-19981.",
  "id": "GHSA-72x5-8v8j-3pmx",
  "modified": "2024-05-03T03:30:52Z",
  "published": "2024-05-03T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35721"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000065668/Security-Advisory-for-Improper-Remote-Server-Certificate-Validation-on-the-RAX50-PSV-2023-0019"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-893"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7359-3C6R-HFC2

Vulnerability from github – Published: 2021-04-22 16:22 – Updated: 2023-01-24 14:59
VLAI
Summary
Improper Certificate Validation in oauth ruby gem
Details

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-11086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-20T18:23:58Z",
    "nvd_published_at": "2020-09-24T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.",
  "id": "GHSA-7359-3c6r-hfc2",
  "modified": "2023-01-24T14:59:50Z",
  "published": "2021-04-22T16:22:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth-xx/oauth-ruby/issues/137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth-xx/oauth-ruby/commit/eb5b00a91d4ef0899082fdba929c34ccad6d4ccb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauth-xx/oauth-ruby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth-xx/oauth-ruby/releases/tag/v0.5.5"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/oauth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation in oauth ruby gem"
}

GHSA-738X-V49G-P6HX

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-10-22 17:24
VLAI
Summary
Scalyr Agent 2 Missing SSL Certificate Validation
Details

The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scalyr-agent-2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-24715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-13T20:29:13Z",
    "nvd_published_at": "2020-08-27T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.",
  "id": "GHSA-738x-v49g-p6hx",
  "modified": "2024-10-22T17:24:01Z",
  "published": "2022-05-24T17:26:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24715"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scalyr-agent-2/PYSEC-2020-252.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scalyr/scalyr-agent-2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scalyr/scalyr-agent-2/blob/v2.1.10/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://scalyr-static.s3.amazonaws.com/technical-details/index.html"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20211209045826/https://scalyr-static.s3.amazonaws.com/technical-details/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scalyr Agent 2 Missing SSL Certificate Validation"
}

GHSA-73M2-QFQ3-56CX

Vulnerability from github – Published: 2025-04-24 12:31 – Updated: 2025-05-17 00:30
VLAI
Summary
Apache HttpClient disables domain checks
Details

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.httpcomponents.client5:httpclient5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4-alpha1"
            },
            {
              "fixed": "5.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-24T16:36:08Z",
    "nvd_published_at": "2025-04-24T12:15:16Z",
    "severity": "HIGH"
  },
  "details": "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.",
  "id": "GHSA-73m2-qfq3-56cx",
  "modified": "2025-05-17T00:30:25Z",
  "published": "2025-04-24T12:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/httpcomponents-client/pull/574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/httpcomponents-client/pull/621"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/httpcomponents-client"
    },
    {
      "type": "WEB",
      "url": "https://hc.apache.org/httpcomponents-client-5.4.x/index.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250516-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache HttpClient disables domain checks"
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.