Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-232R-9JVP-5FFJ

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37
VLAI
Details

European Commission eIDAS-Node Integration Package before 2.3.1 has Missing Certificate Validation because a certain ExplicitKeyTrustEvaluator return value is not checked. NOTE: only 2.1 is confirmed to be affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-30T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "European Commission eIDAS-Node Integration Package before 2.3.1 has Missing Certificate Validation because a certain ExplicitKeyTrustEvaluator return value is not checked. NOTE: only 2.1 is confirmed to be affected.",
  "id": "GHSA-232r-9jvp-5ffj",
  "modified": "2024-04-04T02:37:10Z",
  "published": "2022-05-24T17:00:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18633"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/en/blog/advisories/15587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2339-F8X6-MHV4

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:51
VLAI
Details

nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-6071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-19T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.",
  "id": "GHSA-2339-f8x6-mhv4",
  "modified": "2024-04-03T23:51:48Z",
  "published": "2022-04-23T00:40:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6071"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696707"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2012-6071"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/12/27/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/01/15/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23C2-W636-5RHM

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2023-10-26 21:52
VLAI
Summary
Jenkins SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate validation
Details

Jenkins SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

SiteMonitor Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:sitemonitor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T21:52:42Z",
    "nvd_published_at": "2019-04-30T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.\n\nSiteMonitor Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually.",
  "id": "GHSA-23c2-w636-5rhm",
  "modified": "2023-10-26T21:52:42Z",
  "published": "2022-05-24T16:44:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10317"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-930"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate validation "
}

GHSA-248X-4C3J-HCG7

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2025-06-09 18:31
VLAI
Details

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".",
  "id": "GHSA-248x-4c3j-hcg7",
  "modified": "2025-06-09T18:31:56Z",
  "published": "2022-05-13T01:16:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000500"
    },
    {
      "type": "WEB",
      "url": "https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4531-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.busybox.net/pipermail/busybox/2018-May/086462.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24JX-JXXH-QRW7

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-05-14 03:46
VLAI
Details

The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-17T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-24jx-jxxh-qrw7",
  "modified": "2022-05-14T03:46:40Z",
  "published": "2022-05-14T03:46:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5258"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/rlaneth/d2203c206d5d5acbdaf6069e78b1d07f"
    },
    {
      "type": "WEB",
      "url": "https://radialle.com/cve-2018-5258-writeup-aplicativo-do-banco-neon-para-ios-n%C3%A3o-valida-certificados-ssl-84bed0b0cecb"
    },
    {
      "type": "WEB",
      "url": "https://www.tecmundo.com.br/seguranca/126192-banco-neon-falha-permite-hacker-acesse-conta-roube-dados-clientes.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24VX-5H6H-8Q7M

Vulnerability from github – Published: 2026-05-21 18:33 – Updated: 2026-05-21 18:33
VLAI
Details

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T18:16:21Z",
    "severity": "HIGH"
  },
  "details": "Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.",
  "id": "GHSA-24vx-5h6h-8q7m",
  "modified": "2026-05-21T18:33:15Z",
  "published": "2026-05-21T18:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openises/tickets/releases/tag/v3.44.2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-incs-functions-inc-php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-255V-QV84-29P5

Vulnerability from github – Published: 2025-09-17 20:11 – Updated: 2025-09-26 16:19
VLAI
Summary
DragonFly's manager generates mTLS certificates for arbitrary IP addresses
Details

Impact

A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request.

if addr, ok := p.Addr.(*net.TCPAddr); ok {
       ip = addr.IP.String()
} else {
       ip, _, err = net.SplitHostPort(p.Addr.String())
       if err != nil {
             return nil, err
       }
}
// Parse csr.
[skipped]
// Check csr signature.
// TODO check csr common name and so on.
if err = csr.CheckSignature(); err != nil {
       return nil, err
}
[skipped]
// TODO only valid for peer ip
// BTW we need support both of ipv4 and ipv6.
ips := csr.IPAddresses
if len(ips) == 0 {
       // Add default connected ip.
       ips = []net.IP{net.ParseIP(ip)}
}

Patches

  • Dragonfy v2.1.0 and above.

Workarounds

There are no effective workarounds, beyond upgrading.

References

A third party security audit was performed by Trail of Bits, you can see the full report.

If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dragonflyoss/dragonfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "d7y.io/dragonfly/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T20:11:37Z",
    "nvd_published_at": "2025-09-17T20:15:37Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager\u2019s Certificate gRPC service does not validate if the requested IP addresses \u201cbelong to\u201d the peer requesting the certificate\u2014that is, if the peer connects from the same IP address as the one provided in the certificate request.\n\n```golang\nif addr, ok := p.Addr.(*net.TCPAddr); ok {\n       ip = addr.IP.String()\n} else {\n       ip, _, err = net.SplitHostPort(p.Addr.String())\n       if err != nil {\n             return nil, err\n       }\n}\n// Parse csr.\n[skipped]\n// Check csr signature.\n// TODO check csr common name and so on.\nif err = csr.CheckSignature(); err != nil {\n       return nil, err\n}\n[skipped]\n// TODO only valid for peer ip\n// BTW we need support both of ipv4 and ipv6.\nips := csr.IPAddresses\nif len(ips) == 0 {\n       // Add default connected ip.\n       ips = []net.IP{net.ParseIP(ip)}\n}\n```\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
  "id": "GHSA-255v-qv84-29p5",
  "modified": "2025-09-26T16:19:18Z",
  "published": "2025-09-17T20:11:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-255v-qv84-29p5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59353"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dragonflyoss/dragonfly"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DragonFly\u0027s manager generates mTLS certificates for arbitrary IP addresses"
}

GHSA-25GF-8QRR-G78R

Vulnerability from github – Published: 2021-07-19 21:21 – Updated: 2022-08-11 20:43
VLAI
Summary
Hashicorp Consul Missing SSL Certificate Validation
Details

HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/consul"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-19T17:36:42Z",
    "nvd_published_at": "2021-07-17T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.",
  "id": "GHSA-25gf-8qrr-g78r",
  "modified": "2022-08-11T20:43:48Z",
  "published": "2021-07-19T21:21:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32574"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/consul/releases/tag/v1.10.1"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-09"
    },
    {
      "type": "WEB",
      "url": "https://www.hashicorp.com/blog/category/consul"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hashicorp Consul Missing SSL Certificate Validation"
}

GHSA-25VQ-3GFH-MVJ7

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to establish an SSL VPN connection and bypass certain SSL certificate verification steps. The vulnerability is due to incorrect verification of the SSL Client Certificate. An attacker could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the attacker to establish an SSL VPN connection to the ASA when the connection should have been rejected. This vulnerability affects Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliances (ASAv), Firepower 4110 Security Appliances, Firepower 9300 ASA Security Modules. Cisco Bug IDs: CSCvg40155.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-19T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to establish an SSL VPN connection and bypass certain SSL certificate verification steps. The vulnerability is due to incorrect verification of the SSL Client Certificate. An attacker could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the attacker to establish an SSL VPN connection to the ASA when the connection should have been rejected. This vulnerability affects Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliances (ASAv), Firepower 4110 Security Appliances, Firepower 9300 ASA Security Modules. Cisco Bug IDs: CSCvg40155.",
  "id": "GHSA-25vq-3gfh-mvj7",
  "modified": "2022-05-13T01:35:33Z",
  "published": "2022-05-13T01:35:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0227"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104018"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-26Q9-378G-G2F7

Vulnerability from github – Published: 2023-11-13 18:30 – Updated: 2023-11-13 18:30
VLAI
Details

Improper Certificate Validation in FotaAgent prior to SMR Nov-2023 Release1 allows remote attacker to intercept the network traffic including Firmware information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T08:15:15Z",
    "severity": "HIGH"
  },
  "details": "Improper Certificate Validation in FotaAgent prior to SMR Nov-2023 Release1 allows remote attacker to intercept the network traffic including Firmware information.",
  "id": "GHSA-26q9-378g-g2f7",
  "modified": "2023-11-13T18:30:59Z",
  "published": "2023-11-13T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42532"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.