CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-2JP3-FVM5-PQ7W
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2015-5639"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T16:29:00Z",
"severity": "HIGH"
},
"details": "niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.",
"id": "GHSA-2jp3-fvm5-pq7w",
"modified": "2022-05-17T00:26:26Z",
"published": "2022-05-17T00:26:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5639"
},
{
"type": "WEB",
"url": "http://blog.nicovideo.jp/niconews/ni055746.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN20355129/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000137.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76906"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2M7G-9Q74-9M3Q
Vulnerability from github – Published: 2020-05-06 20:49 – Updated: 2021-08-25 21:06The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.16.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.beam:beam-sdks-java-io-mongodb"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1929"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-06T20:48:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.",
"id": "GHSA-2m7g-9q74-9m3q",
"modified": "2021-08-25T21:06:45Z",
"published": "2020-05-06T20:49:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1929"
},
{
"type": "WEB",
"url": "https://github.com/apache/beam/commit/a7dd23d95d2d214b4110781b5a28802bd43b834b"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/beam"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaea4becbdc69aa04%40%3Cuser.beam.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in Apache Beam"
}
GHSA-2MC2-G238-722J
Vulnerability from github – Published: 2026-03-03 21:35 – Updated: 2026-03-03 21:35Summary
Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.
Before the fix:
- SCP used StrictHostKeyChecking=accept-new in the remote attachment path.
- channels.imessage.remoteHost was not validated as a strict SSH host token.
Impact
In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version currently affected:
2026.2.17 - Vulnerable range (structured field):
<= 2026.2.17 - Patched version (pre-set for next release):
>= 2026.2.19
Fix
The fix hardens remote attachment SSH/SCP handling by:
- requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths,
- adding strict remoteHost normalization/validation,
- adding -- argument barrier for SCP remote source parsing,
- validating channels.imessage.remoteHost in config schema,
- rejecting unsafe auto-detected host tokens at runtime.
Fix Commit(s)
- Pushed to
main: 49d0def6d1e88f002026b1d2a35aa615d48a751a
OpenClaw thanks @allsmog for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.17"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:35:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nRemote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.\n\nBefore the fix:\n- SCP used `StrictHostKeyChecking=accept-new` in the remote attachment path.\n- `channels.imessage.remoteHost` was not validated as a strict SSH host token.\n\n## Impact\n\nIn remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published npm version currently affected: `2026.2.17`\n- Vulnerable range (structured field): `\u003c= 2026.2.17`\n- Patched version (pre-set for next release): `\u003e= 2026.2.19`\n\n## Fix\n\nThe fix hardens remote attachment SSH/SCP handling by:\n- requiring `StrictHostKeyChecking=yes` for SCP and SSH tunnel paths,\n- adding strict `remoteHost` normalization/validation,\n- adding `--` argument barrier for SCP remote source parsing,\n- validating `channels.imessage.remoteHost` in config schema,\n- rejecting unsafe auto-detected host tokens at runtime.\n\n## Fix Commit(s)\n\n- Pushed to `main`: 49d0def6d1e88f002026b1d2a35aa615d48a751a\n\nOpenClaw thanks @allsmog for reporting.",
"id": "GHSA-2mc2-g238-722j",
"modified": "2026-03-03T21:35:21Z",
"published": "2026-03-03T21:35:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/49d0def6d1e88f002026b1d2a35aa615d48a751a"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)"
}
GHSA-2MMV-7RRP-G8XH
Vulnerability from github – Published: 2026-01-12 16:13 – Updated: 2026-01-12 20:07Impact
The SSL verification would be skipped for some crafted URLs.
Patches
- https://github.com/WeblateOrg/wlc/pull/1097
Workarounds
Avoid using untrusted wlc configurations, as that might cause insecure connections.
References
This issue was reported to us by wh1zee via HackerOne.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wlc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22250"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-12T16:13:33Z",
"nvd_published_at": "2026-01-12T18:15:49Z",
"severity": "LOW"
},
"details": "### Impact\nThe SSL verification would be skipped for some crafted URLs.\n\n### Patches\n* https://github.com/WeblateOrg/wlc/pull/1097\n\n### Workarounds\nAvoid using untrusted wlc configurations, as that might cause insecure connections.\n\n### References\nThis issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.",
"id": "GHSA-2mmv-7rrp-g8xh",
"modified": "2026-01-12T20:07:14Z",
"published": "2026-01-12T16:13:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22250"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/pull/1097"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/wlc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate command-line client susceptible to SSL verification skip"
}
GHSA-2P88-V9R5-P4MP
Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2022-05-17 04:31The Smart Call Home (SCH) implementation in Cisco ASA Software 8.2 before 8.2(5.50), 8.4 before 8.4(7.15), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to bypass certificate validation via an arbitrary VeriSign certificate, aka Bug ID CSCun10916.
{
"affected": [],
"aliases": [
"CVE-2014-3394"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-10-10T10:55:00Z",
"severity": "MODERATE"
},
"details": "The Smart Call Home (SCH) implementation in Cisco ASA Software 8.2 before 8.2(5.50), 8.4 before 8.4(7.15), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to bypass certificate validation via an arbitrary VeriSign certificate, aka Bug ID CSCun10916.",
"id": "GHSA-2p88-v9r5-p4mp",
"modified": "2022-05-17T04:31:07Z",
"published": "2022-05-17T04:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3394"
},
{
"type": "WEB",
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2PHC-GXQ3-33RM
Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39The "CFB Mobile Banking" by Citizens First Bank Wisconsin app 3.0.1 -- aka cfb-mobile-banking/id1081102805 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9596"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The \"CFB Mobile Banking\" by Citizens First Bank Wisconsin app 3.0.1 -- aka cfb-mobile-banking/id1081102805 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-2phc-gxq3-33rm",
"modified": "2025-04-20T03:39:14Z",
"published": "2022-05-17T02:39:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9596"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PQV-GJX5-J94F
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier.
{
"affected": [],
"aliases": [
"CVE-2018-5926"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-27T16:29:00Z",
"severity": "CRITICAL"
},
"details": "A potential vulnerability has been identified in HP Remote Graphics Software\u2019s certificate authentication process version 7.5.0 and earlier.",
"id": "GHSA-2pqv-gjx5-j94f",
"modified": "2022-05-13T01:28:29Z",
"published": "2022-05-13T01:28:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5926"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/c06201418"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PW7-G86G-76Q7
Vulnerability from github – Published: 2026-05-27 00:31 – Updated: 2026-07-15 15:32A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2026-42013"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T22:16:42Z",
"severity": "HIGH"
},
"details": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.",
"id": "GHSA-2pw7-g86g-76q7",
"modified": "2026-07-15T15:32:42Z",
"published": "2026-05-27T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42013"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20611"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20612"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20613"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26409"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:32962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-42013"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467448"
},
{
"type": "WEB",
"url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PWF-98XM-HGM2
Vulnerability from github – Published: 2022-05-14 02:52 – Updated: 2022-05-14 02:52OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.
{
"affected": [],
"aliases": [
"CVE-2014-3451"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T18:29:00Z",
"severity": "HIGH"
},
"details": "OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.",
"id": "GHSA-2pwf-98xm-hgm2",
"modified": "2022-05-14T02:52:42Z",
"published": "2022-05-14T02:52:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3451"
},
{
"type": "WEB",
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q9R-QXXC-WGH3
Vulnerability from github – Published: 2022-05-14 02:57 – Updated: 2025-04-20 03:39The "RVCB Mobile" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/id757928895 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-9578"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T12:29:00Z",
"severity": "MODERATE"
},
"details": "The \"RVCB Mobile\" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/id757928895 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
"id": "GHSA-2q9r-qxxc-wgh3",
"modified": "2025-04-20T03:39:12Z",
"published": "2022-05-14T02:57:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9578"
},
{
"type": "WEB",
"url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
},
{
"type": "WEB",
"url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.