CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-HC88-JRP9-M46P
Vulnerability from github – Published: 2023-09-19 18:30 – Updated: 2024-04-04 07:44MiniTool Power Data Recovery 11.5 contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.
{
"affected": [],
"aliases": [
"CVE-2023-38353"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-19T16:15:11Z",
"severity": "MODERATE"
},
"details": "MiniTool Power Data Recovery 11.5 contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.",
"id": "GHSA-hc88-jrp9-m46p",
"modified": "2024-04-04T07:44:20Z",
"published": "2023-09-19T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38353"
},
{
"type": "WEB",
"url": "https://0dr3f.github.io/cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HCVP-GMJ3-5G5V
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
{
"affected": [],
"aliases": [
"CVE-2021-39361"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.",
"id": "GHSA-hcvp-gmj3-5g5v",
"modified": "2022-05-24T19:11:51Z",
"published": "2022-05-24T19:11:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39361"
},
{
"type": "WEB",
"url": "https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HCWR-Q245-XP6F
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The "KC Area Credit Union Mobile Banking" by K C Area Credit Union app 3.0.1 -- aka kc-area-credit-union-mobile-banking/id1097607736 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9574"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The \"KC Area Credit Union Mobile Banking\" by K C Area Credit Union app 3.0.1 -- aka kc-area-credit-union-mobile-banking/id1097607736 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-hcwr-q245-xp6f",
"modified": "2025-04-20T03:39:12Z",
"published": "2022-05-17T02:39:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9574"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HF82-6JFF-F22V
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-06 18:30libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.
An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
{
"affected": [],
"aliases": [
"CVE-2026-11564"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T07:16:23Z",
"severity": "CRITICAL"
},
"details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup.\n\nAn easy handle that first uses default native CA trust can continue trusting\nthe native platform store after the application switches that same handle to\ncustom CA material for a later transfer.",
"id": "GHSA-hf82-6jff-f22v",
"modified": "2026-07-06T18:30:47Z",
"published": "2026-07-03T09:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11564"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3788984"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-11564.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-11564.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HFXC-7RP9-XW9W
Vulnerability from github – Published: 2024-11-02 06:32 – Updated: 2024-11-04 15:31qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.
{
"affected": [],
"aliases": [
"CVE-2024-51774"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-02T06:15:03Z",
"severity": "HIGH"
},
"details": "qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.",
"id": "GHSA-hfxc-7rp9-xw9w",
"modified": "2024-11-04T15:31:56Z",
"published": "2024-11-02T06:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51774"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=42004219"
},
{
"type": "WEB",
"url": "https://sharpsec.run/rce-vulnerability-in-qbittorrent"
},
{
"type": "WEB",
"url": "https://www.qbittorrent.org/news"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG39-JWRC-32X5
Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2025-09-23 18:30Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic.
{
"affected": [],
"aliases": [
"CVE-2025-58123"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-28T13:16:09Z",
"severity": "MODERATE"
},
"details": "Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic.",
"id": "GHSA-hg39-jwrc-32x5",
"modified": "2025-09-23T18:30:21Z",
"published": "2025-08-28T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58123"
},
{
"type": "WEB",
"url": "https://exchange.checkmk.com/p/bgp-mon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HG75-4CMP-F367
Vulnerability from github – Published: 2026-04-10 06:31 – Updated: 2026-04-27 18:32wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints CA:FALSE that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns WOLFSSL_SUCCESS / X509_V_OK. The native wolfSSL TLS handshake path (ProcessPeerCerts) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.
{
"affected": [],
"aliases": [
"CVE-2026-5501"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T04:17:17Z",
"severity": "HIGH"
},
"details": "wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf\u0027s signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let\u0027s Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.",
"id": "GHSA-hg75-4cmp-f367",
"modified": "2026-04-27T18:32:02Z",
"published": "2026-04-10T06:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5501"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HGCW-M9R8-99RP
Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2022-05-13 00:01Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack.
{
"affected": [],
"aliases": [
"CVE-2021-34599"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-01T09:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack.",
"id": "GHSA-hgcw-m9r8-99rp",
"modified": "2022-05-13T00:01:13Z",
"published": "2021-12-02T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34599"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16959\u0026token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff\u0026download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HGG6-8X62-M9GF
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2023-12-21 23:04JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.10"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-5653"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T11:59:24Z",
"nvd_published_at": "2017-04-18T16:59:00Z",
"severity": "MODERATE"
},
"details": "JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.",
"id": "GHSA-hgg6-8x62-m9gf",
"modified": "2023-12-21T23:04:30Z",
"published": "2022-05-13T01:09:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/20d0fa3ec41c16c52b74dcc006f9d9ea212fa80f"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1\u0026modificationDate=1492515074710\u0026api=v2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in Apache CXF"
}
GHSA-HGQH-QJ43-XFMF
Vulnerability from github – Published: 2024-01-31 12:30 – Updated: 2024-01-31 12:30SSL connections to NOVELL and Synology LDAP server are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacker to gather sensitive information and prevent valid users from login.
{
"affected": [],
"aliases": [
"CVE-2023-50356"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-31T11:15:07Z",
"severity": "CRITICAL"
},
"details": "SSL connections to NOVELL and Synology LDAP server are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacker to gather sensitive information and prevent valid users from login.",
"id": "GHSA-hgqh-qj43-xfmf",
"modified": "2024-01-31T12:30:17Z",
"published": "2024-01-31T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50356"
},
{
"type": "WEB",
"url": "https://www.areal-topkapi.com/en/services/security-bulletins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.