Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-G3XR-5W5J-W4Q4

Vulnerability from github – Published: 2026-07-02 17:15 – Updated: 2026-07-02 17:15
VLAI
Summary
Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled
Details

Impact

When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any HTTPProxy FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.

To list all HTTPProxies with this invalid configuration, run

kubectl get httpproxies -A -o json | jq -r '
  .items[]
  | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)
  | "Invalid HTTPProxy found: \(.metadata.namespace)/\(.metadata.name)"
'

Patches

This issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any HTTPProxy resources that combine .spec.virtualhost.tls.enableFallbackCertificate: true with .spec.virtualhost.jwtProviders. Affected resources will receive a status condition with the error reason TLSIncompatibleFeatures.

Workarounds

Do not enable .spec.virtualhost.tls.enableFallbackCertificate on HTTPProxy resources that also define .spec.virtualhost.jwtProviders. Remove one of the two settings to avoid the invalid configuration.

References

  • Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate
  • Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcontour/contour"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.23.0"
            },
            {
              "fixed": "1.33.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T17:15:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen an `HTTPProxy` is configured with incompatible combination of both `.spec.virtualhost.tls.enableFallbackCertificate: true` and `.spec.virtualhost.jwtProviders`, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any `HTTPProxy` FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.\n\nTo list all `HTTPProxies` with this invalid configuration, run\n\n```bash\nkubectl get httpproxies -A -o json | jq -r \u0027\n  .items[]\n  | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)\n  | \"Invalid HTTPProxy found: \\(.metadata.namespace)/\\(.metadata.name)\"\n\u0027\n```\n\n### Patches\n\nThis issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any `HTTPProxy` resources that combine `.spec.virtualhost.tls.enableFallbackCertificate: true` with `.spec.virtualhost.jwtProviders`. Affected resources will receive a status  condition with the error reason `TLSIncompatibleFeatures`.\n\n### Workarounds\n\nDo not enable `.spec.virtualhost.tls.enableFallbackCertificate` on `HTTPProxy` resources that also define `.spec.virtualhost.jwtProviders`. Remove one of the two settings to avoid the invalid configuration.\n\n### References\n\n- Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate\n- Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/",
  "id": "GHSA-g3xr-5w5j-w4q4",
  "modified": "2026-07-02T17:15:20Z",
  "published": "2026-07-02T17:15:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/security/advisories/GHSA-g3xr-5w5j-w4q4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectcontour/contour"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled"
}

GHSA-G4MP-W67Q-HF7C

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-24T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.",
  "id": "GHSA-g4mp-w67q-hf7c",
  "modified": "2024-04-04T01:02:38Z",
  "published": "2022-05-24T16:48:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17945"
    },
    {
      "type": "WEB",
      "url": "http://firstsight.me/2017/12/lack-of-binary-protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-several-security-issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4R8-3QMH-PMCH

Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 23:11
VLAI
Summary
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification
Details

pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pgadmin4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-12765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T23:11:15Z",
    "nvd_published_at": "2025-11-13T13:15:45Z",
    "severity": "HIGH"
  },
  "details": "pgAdmin \u003c= 9.9\u00a0is affected by a\u00a0vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.",
  "id": "GHSA-g4r8-3qmh-pmch",
  "modified": "2025-11-13T23:11:15Z",
  "published": "2025-11-13T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12765"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/9324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/commit/09d2b7eeb0e330df73b1aef0cba57788fde52b6b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pgadmin-org/pgadmin4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification"
}

GHSA-G529-HV2C-7MQF

Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:56
VLAI
Details

In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-14T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
  "id": "GHSA-g529-hv2c-7mqf",
  "modified": "2024-04-04T06:56:02Z",
  "published": "2023-08-14T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21265"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/system/ca-certificates/+/6065b4a4c7da9cc9ee01c2f6389575647d2724c4"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G56R-PHRF-6PC4

Vulnerability from github – Published: 2023-04-29 00:30 – Updated: 2023-05-08 18:30
VLAI
Details

HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-29T00:15:09Z",
    "severity": null
  },
  "details": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.",
  "id": "GHSA-g56r-phrf-6pc4",
  "modified": "2023-05-08T18:30:16Z",
  "published": "2023-04-29T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
    },
    {
      "type": "WEB",
      "url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules"
    },
    {
      "type": "WEB",
      "url": "https://hackeriet.github.io/cpan-http-tiny-overview"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/05/03/4"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5XX-F9CV-W25H

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01
VLAI
Details

In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06461919; Issue ID: ALPS06461919.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06461919; Issue ID: ALPS06461919.",
  "id": "GHSA-g5xx-f9cv-w25h",
  "modified": "2022-04-19T00:01:20Z",
  "published": "2022-04-12T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20081"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G636-WXGP-6G5H

Vulnerability from github – Published: 2022-05-17 02:49 – Updated: 2022-05-17 02:49
VLAI
Details

Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-13T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates.",
  "id": "GHSA-g636-wxgp-6g5h",
  "modified": "2022-05-17T02:49:25Z",
  "published": "2022-05-17T02:49:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1132"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN47951769/index.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6X8-5JJ7-QQFV

Vulnerability from github – Published: 2025-07-19 00:32 – Updated: 2025-07-19 00:32
VLAI
Details

A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T23:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL\n client failing to properly verify the server certificate\u0027s domain name,\n allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.",
  "id": "GHSA-g6x8-5jj7-qqfv",
  "modified": "2025-07-19T00:32:31Z",
  "published": "2025-07-19T00:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7395"
    },
    {
      "type": "WEB",
      "url": "http://github.com/wolfssl/wolfssl.git"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G732-V53W-3QQ2

Vulnerability from github – Published: 2023-05-01 15:30 – Updated: 2024-04-04 03:44
VLAI
Details

A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-01T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.",
  "id": "GHSA-g732-v53w-3qq2",
  "modified": "2024-04-04T03:44:41Z",
  "published": "2023-05-01T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48186"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/dc_206093.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G784-X97G-R6WW

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-24T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.",
  "id": "GHSA-g784-x97g-r6ww",
  "modified": "2022-05-24T19:06:05Z",
  "published": "2022-05-24T19:06:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21571"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000188682"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.