CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-G3XR-5W5J-W4Q4
Vulnerability from github – Published: 2026-07-02 17:15 – Updated: 2026-07-02 17:15Impact
When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any HTTPProxy FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.
To list all HTTPProxies with this invalid configuration, run
kubectl get httpproxies -A -o json | jq -r '
.items[]
| select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)
| "Invalid HTTPProxy found: \(.metadata.namespace)/\(.metadata.name)"
'
Patches
This issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any HTTPProxy resources that combine .spec.virtualhost.tls.enableFallbackCertificate: true with .spec.virtualhost.jwtProviders. Affected resources will receive a status condition with the error reason TLSIncompatibleFeatures.
Workarounds
Do not enable .spec.virtualhost.tls.enableFallbackCertificate on HTTPProxy resources that also define .spec.virtualhost.jwtProviders. Remove one of the two settings to avoid the invalid configuration.
References
- Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate
- Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcontour/contour"
},
"ranges": [
{
"events": [
{
"introduced": "1.23.0"
},
{
"fixed": "1.33.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50149"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:15:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen an `HTTPProxy` is configured with incompatible combination of both `.spec.virtualhost.tls.enableFallbackCertificate: true` and `.spec.virtualhost.jwtProviders`, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any `HTTPProxy` FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.\n\nTo list all `HTTPProxies` with this invalid configuration, run\n\n```bash\nkubectl get httpproxies -A -o json | jq -r \u0027\n .items[]\n | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)\n | \"Invalid HTTPProxy found: \\(.metadata.namespace)/\\(.metadata.name)\"\n\u0027\n```\n\n### Patches\n\nThis issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any `HTTPProxy` resources that combine `.spec.virtualhost.tls.enableFallbackCertificate: true` with `.spec.virtualhost.jwtProviders`. Affected resources will receive a status condition with the error reason `TLSIncompatibleFeatures`.\n\n### Workarounds\n\nDo not enable `.spec.virtualhost.tls.enableFallbackCertificate` on `HTTPProxy` resources that also define `.spec.virtualhost.jwtProviders`. Remove one of the two settings to avoid the invalid configuration.\n\n### References\n\n- Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate\n- Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/",
"id": "GHSA-g3xr-5w5j-w4q4",
"modified": "2026-07-02T17:15:20Z",
"published": "2026-07-02T17:15:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/projectcontour/contour/security/advisories/GHSA-g3xr-5w5j-w4q4"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcontour/contour"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled"
}
GHSA-G4MP-W67Q-HF7C
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
{
"affected": [],
"aliases": [
"CVE-2017-17945"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-24T19:15:00Z",
"severity": "CRITICAL"
},
"details": "The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.",
"id": "GHSA-g4mp-w67q-hf7c",
"modified": "2024-04-04T01:02:38Z",
"published": "2022-05-24T16:48:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17945"
},
{
"type": "WEB",
"url": "http://firstsight.me/2017/12/lack-of-binary-protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-several-security-issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G4R8-3QMH-PMCH
Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 23:11pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.9"
},
"package": {
"ecosystem": "PyPI",
"name": "pgadmin4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12765"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T23:11:15Z",
"nvd_published_at": "2025-11-13T13:15:45Z",
"severity": "HIGH"
},
"details": "pgAdmin \u003c= 9.9\u00a0is affected by a\u00a0vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.",
"id": "GHSA-g4r8-3qmh-pmch",
"modified": "2025-11-13T23:11:15Z",
"published": "2025-11-13T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12765"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/issues/9324"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/commit/09d2b7eeb0e330df73b1aef0cba57788fde52b6b"
},
{
"type": "PACKAGE",
"url": "https://github.com/pgadmin-org/pgadmin4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification"
}
GHSA-G529-HV2C-7MQF
Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:56In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21265"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T21:15:12Z",
"severity": "HIGH"
},
"details": "In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-g529-hv2c-7mqf",
"modified": "2024-04-04T06:56:02Z",
"published": "2023-08-14T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21265"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/system/ca-certificates/+/6065b4a4c7da9cc9ee01c2f6389575647d2724c4"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G56R-PHRF-6PC4
Vulnerability from github – Published: 2023-04-29 00:30 – Updated: 2023-05-08 18:30HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
{
"affected": [],
"aliases": [
"CVE-2023-31486"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-29T00:15:09Z",
"severity": null
},
"details": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.",
"id": "GHSA-g56r-phrf-6pc4",
"modified": "2023-05-08T18:30:16Z",
"published": "2023-04-29T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
},
{
"type": "WEB",
"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules"
},
{
"type": "WEB",
"url": "https://hackeriet.github.io/cpan-http-tiny-overview"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/05/03/4"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5XX-F9CV-W25H
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06461919; Issue ID: ALPS06461919.
{
"affected": [],
"aliases": [
"CVE-2022-20081"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06461919; Issue ID: ALPS06461919.",
"id": "GHSA-g5xx-f9cv-w25h",
"modified": "2022-04-19T00:01:20Z",
"published": "2022-04-12T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20081"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G636-WXGP-6G5H
Vulnerability from github – Published: 2022-05-17 02:49 – Updated: 2022-05-17 02:49Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates.
{
"affected": [],
"aliases": [
"CVE-2016-1132"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-13T14:59:00Z",
"severity": "HIGH"
},
"details": "Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates.",
"id": "GHSA-g636-wxgp-6g5h",
"modified": "2022-05-17T02:49:25Z",
"published": "2022-05-17T02:49:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1132"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN47951769/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G6X8-5JJ7-QQFV
Vulnerability from github – Published: 2025-07-19 00:32 – Updated: 2025-07-19 00:32A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.
{
"affected": [],
"aliases": [
"CVE-2025-7395"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T23:15:23Z",
"severity": "CRITICAL"
},
"details": "A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL\n client failing to properly verify the server certificate\u0027s domain name,\n allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.",
"id": "GHSA-g6x8-5jj7-qqfv",
"modified": "2025-07-19T00:32:31Z",
"published": "2025-07-19T00:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7395"
},
{
"type": "WEB",
"url": "http://github.com/wolfssl/wolfssl.git"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-G732-V53W-3QQ2
Vulnerability from github – Published: 2023-05-01 15:30 – Updated: 2024-04-04 03:44A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-48186"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-01T15:15:09Z",
"severity": "HIGH"
},
"details": "A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.",
"id": "GHSA-g732-v53w-3qq2",
"modified": "2024-04-04T03:44:41Z",
"published": "2023-05-01T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48186"
},
{
"type": "WEB",
"url": "https://iknow.lenovo.com.cn/detail/dc_206093.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G784-X97G-R6WW
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.
{
"affected": [],
"aliases": [
"CVE-2021-21571"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T17:15:00Z",
"severity": "MODERATE"
},
"details": "Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.",
"id": "GHSA-g784-x97g-r6ww",
"modified": "2022-05-24T19:06:05Z",
"published": "2022-05-24T19:06:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21571"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000188682"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.