CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-GX75-Q38P-6X2Q
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The "Charlevoix State Bank" by Charlevoix State Bank app 3.0.1 -- aka charlevoix-state-bank/id1128963717 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9583"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The \"Charlevoix State Bank\" by Charlevoix State Bank app 3.0.1 -- aka charlevoix-state-bank/id1128963717 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-gx75-q38p-6x2q",
"modified": "2025-04-20T03:39:13Z",
"published": "2022-05-17T02:39:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9583"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GXQ5-79M2-GVVQ
Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-20 15:22The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.bookkeeper:bookkeeper-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.14.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.bookkeeper:bookkeeper-common"
},
"ranges": [
{
"events": [
{
"introduced": "4.15.0"
},
{
"fixed": "4.15.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.15.0"
]
}
],
"aliases": [
"CVE-2022-32531"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T23:33:41Z",
"nvd_published_at": "2022-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.",
"id": "GHSA-gxq5-79m2-gvvq",
"modified": "2022-12-20T15:22:58Z",
"published": "2022-12-15T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32531"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/bookkeeper"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-bookkeeper-client/PYSEC-2022-43060.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Bookkeeper vulnerable to Improper Certificate Validation"
}
GHSA-H289-X5WC-XCV8
Vulnerability from github – Published: 2022-02-16 22:56 – Updated: 2024-05-20 21:13Impact
If no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults. When looking up a WSS endpoint using the DNS TXT record method described in XEP-0156: Discovering Alternative XMPP Connection Methods the ServerName field was incorrectly being set to the name of the server returned by the TXT record request, not the name of the initial server we were attempting to connect to. This means that any attacker that can spoof a DNS record (ie. in the absence of DNSSEC, DNS-over-TLS, DNS-over-HTTPS, or similar technologies) could redirect the user to a server of their choosing and as long as it had a valid TLS certificate for itself the connection would succeed, resulting in a MITM situation.
Patches
All users should upgrade to v0.21.1.
Workarounds
To work around the issue, manually specify a TLS configuration with the correct hostname.
References
- https://mellium.im/cve/cve-2022-24968/
- https://nvd.nist.gov/vuln/detail/CVE-2022-24968
For more information
If you have any questions or comments about this advisory: * Reach out on XMPP to sam@samwhited.com * Email us at sam@samwhited.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "mellium.im/xmpp"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "0.21.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24968"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-16T22:56:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nIf no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults. When looking up a WSS endpoint using the DNS TXT record method described in [XEP-0156: Discovering Alternative XMPP Connection Methods](https://xmpp.org/extensions/xep-0156.html) the ServerName field was incorrectly being set to the name of the server returned by the TXT record request, not the name of the initial server we were attempting to connect to. This means that any attacker that can spoof a DNS record (ie. in the absence of DNSSEC, DNS-over-TLS, DNS-over-HTTPS, or similar technologies) could redirect the user to a server of their choosing and as long as it had a valid TLS certificate for itself the connection would succeed, resulting in a MITM situation.\n\n### Patches\n\nAll users should upgrade to v0.21.1.\n\n### Workarounds\n\nTo work around the issue, manually specify a TLS configuration with the correct hostname.\n\n### References\n\n- https://mellium.im/cve/cve-2022-24968/\n- https://nvd.nist.gov/vuln/detail/CVE-2022-24968\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Reach out on XMPP to [sam@samwhited.com](xmpp:sam@samwhited.com?msg)\n* Email us at [sam@samwhited.com](mailto:sam@samwhited.com)\n",
"id": "GHSA-h289-x5wc-xcv8",
"modified": "2024-05-20T21:13:34Z",
"published": "2022-02-16T22:56:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mellium/xmpp/security/advisories/GHSA-h289-x5wc-xcv8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24968"
},
{
"type": "WEB",
"url": "https://github.com/mellium/xmpp/pull/260"
},
{
"type": "WEB",
"url": "https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac"
},
{
"type": "PACKAGE",
"url": "https://github.com/mellium/xmpp"
},
{
"type": "WEB",
"url": "https://mellium.im/cve/cve-2022-24968"
},
{
"type": "WEB",
"url": "https://mellium.im/issue/259"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Validation of Certificate with Host Mismatch in mellium.im/xmpp/websocket"
}
GHSA-H28G-F96V-JHRG
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-11-29 03:30** DISPUTED ** An issue was discovered in RIPE NCC RPKI Validator 3.x through 3.1-2020.07.06.14.28. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate Revocation List files from the RPKI relying party's view. NOTE: some third parties may regard this as a preferred behavior, not a vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-16164"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-30T16:15:00Z",
"severity": "HIGH"
},
"details": "** DISPUTED ** An issue was discovered in RIPE NCC RPKI Validator 3.x through 3.1-2020.07.06.14.28. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation \".roa\" files or X509 Certificate Revocation List files from the RPKI relying party\u0027s view. NOTE: some third parties may regard this as a preferred behavior, not a vulnerability.",
"id": "GHSA-h28g-f96v-jhrg",
"modified": "2022-11-29T03:30:25Z",
"published": "2022-05-24T17:24:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RIPE-NCC/rpki-validator-3/security/advisories/GHSA-q76j-58cx-wp5v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16164"
},
{
"type": "WEB",
"url": "https://github.com/RIPE-NCC/rpki-validator-3/issues/158"
},
{
"type": "WEB",
"url": "https://github.com/RIPE-NCC/rpki-validator-3/issues/232"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2FW-QH29-9JV7
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-03-21 03:33systemd 239 through 243 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend.
{
"affected": [],
"aliases": [
"CVE-2018-21029"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-30T22:15:00Z",
"severity": "CRITICAL"
},
"details": "systemd 239 through 243 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend.",
"id": "GHSA-h2fw-qh29-9jv7",
"modified": "2024-03-21T03:33:41Z",
"published": "2022-05-24T17:00:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21029"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/issues/9397"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/pull/13870"
},
{
"type": "WEB",
"url": "https://blog.cloudflare.com/dns-encryption-explained"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/blob/v239/man/resolved.conf.xml#L199-L207"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/blob/v243/man/resolved.conf.xml#L196-L207"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/blob/v243/src/resolve/resolved-dnstls-gnutls.c#L62-L63"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NLJVOJMB6ANDILRLDZK26YGLYBEPHKY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NLJVOJMB6ANDILRLDZK26YGLYBEPHKY"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191122-0002"
},
{
"type": "WEB",
"url": "https://tools.ietf.org/html/rfc7858#section-4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2MX-PPVP-V2RQ
Vulnerability from github – Published: 2026-02-23 18:32 – Updated: 2026-02-23 21:31An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTPS request options when 'jx_obj.IsSecure' is true
{
"affected": [],
"aliases": [
"CVE-2025-70045"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-23T16:29:36Z",
"severity": "HIGH"
},
"details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting \u0027rejectUnauthorized\u0027: false in HTTPS request options when \u0027jx_obj.IsSecure\u0027 is true",
"id": "GHSA-h2mx-ppvp-v2rq",
"modified": "2026-02-23T21:31:26Z",
"published": "2026-02-23T18:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70045"
},
{
"type": "WEB",
"url": "https://gist.github.com/zcxlighthouse/bd5852a409c97438016f2c476f8461d9"
},
{
"type": "WEB",
"url": "https://github.com/jxcore"
},
{
"type": "WEB",
"url": "https://github.com/jxcore/jxm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2Q8-MVPC-6J4J
Vulnerability from github – Published: 2023-03-25 00:30 – Updated: 2023-03-30 18:30ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation.
{
"affected": [],
"aliases": [
"CVE-2022-45597"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T23:15:00Z",
"severity": "CRITICAL"
},
"details": "ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation.",
"id": "GHSA-h2q8-mvpc-6j4j",
"modified": "2023-03-30T18:30:31Z",
"published": "2023-03-25T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45597"
},
{
"type": "WEB",
"url": "https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf"
},
{
"type": "WEB",
"url": "http://componentspace.com"
},
{
"type": "WEB",
"url": "http://componentspacesaml2.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2R9-R9V2-FVWP
Vulnerability from github – Published: 2022-03-29 00:01 – Updated: 2022-04-05 00:00An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.
{
"affected": [],
"aliases": [
"CVE-2022-0123"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.",
"id": "GHSA-h2r9-r9v2-fvwp",
"modified": "2022-04-05T00:00:49Z",
"published": "2022-03-29T00:01:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0123"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H32X-W4CV-WRQ9
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity.
{
"affected": [],
"aliases": [
"CVE-2020-25680"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-07T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file\u0027s ID is \u0027unknown\u0027. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity.",
"id": "GHSA-h32x-w4cv-wrq9",
"modified": "2022-05-24T17:38:11Z",
"published": "2022-05-24T17:38:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25680"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892703"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H355-32PF-P2XM
Vulnerability from github – Published: 2026-02-05 18:30 – Updated: 2026-02-06 18:30During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
{
"affected": [],
"aliases": [
"CVE-2025-68121"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T18:16:10Z",
"severity": "MODERATE"
},
"details": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.",
"id": "GHSA-h355-32pf-p2xm",
"modified": "2026-02-06T18:30:31Z",
"published": "2026-02-05T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://go.dev/cl/737700"
},
{
"type": "WEB",
"url": "https://go.dev/issue/77217"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.