Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1908 vulnerabilities reference this CWE, most recent first.

GHSA-42M9-F9C6-JJRJ

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:15
VLAI
Details

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka \u0027WCF/WIF SAML Token Authentication Bypass Vulnerability\u0027.",
  "id": "GHSA-42m9-f9c6-jjrj",
  "modified": "2024-04-04T01:15:50Z",
  "published": "2022-05-24T16:50:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1006"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43FF-RR26-8HX4

Vulnerability from github – Published: 2025-10-15 20:09 – Updated: 2025-10-15 20:09
VLAI
Summary
OpenSearch Data Prepper plugins trust all SSL certificates by default
Details

Impact

The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.

Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.

The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided.

Patches

Data Prepper 2.12.2

Workarounds

If you cannot immediately upgrade to the fixed version, you can implement the following workaround.

OpenSearch sink

Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.

sink:
  - opensearch:
      hosts: ["https://your-opensearch-cluster:9200"]
      cert: /path/to/your/ca-certificate.pem

OpenSearch source

Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.

sink:
  - opensearch:
      hosts: ["https://your-opensearch-cluster:9200"]
      connection:
        cert: /path/to/your/ca-certificate.pem

References

N/A

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.dataprepper.plugins:opensearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T20:09:53Z",
    "nvd_published_at": "2025-10-15T18:15:39Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.\n\nPrior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.\n\nThe vulnerability affects connections to OpenSearch when the `cert` parameter is not explicitly provided.\n\n### Patches\n\nData Prepper 2.12.2\n\n### Workarounds\n\nIf you cannot immediately upgrade to the fixed version, you can implement the following workaround.\n\n#### OpenSearch sink\n\nAdd the `cert` parameter to your OpenSearch sink configuration with the path to your cluster\u0027s CA certificate. The following example shows how to accomplish this.\n\n```\nsink:\n  - opensearch:\n      hosts: [\"https://your-opensearch-cluster:9200\"]\n      cert: /path/to/your/ca-certificate.pem\n```\n\n#### OpenSearch source\n\nAdd the `cert` parameter to your OpenSearch sink configuration with the path to your cluster\u0027s CA certificate. The following example shows how to accomplish this.\n\n```\nsink:\n  - opensearch:\n      hosts: [\"https://your-opensearch-cluster:9200\"]\n      connection:\n        cert: /path/to/your/ca-certificate.pem\n```\n\n\n### References\n\nN/A",
  "id": "GHSA-43ff-rr26-8hx4",
  "modified": "2025-10-15T20:09:53Z",
  "published": "2025-10-15T20:09:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62371"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/data-prepper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch Data Prepper plugins trust all SSL certificates by default"
}

GHSA-444R-2XR3-RXHV

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-04-30T10:49:00Z",
    "severity": "MODERATE"
  },
  "details": "The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.",
  "id": "GHSA-444r-2xr3-rxhv",
  "modified": "2022-05-13T01:11:39Z",
  "published": "2022-05-13T01:11:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0363"
    },
    {
      "type": "WEB",
      "url": "http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released"
    },
    {
      "type": "WEB",
      "url": "http://issues.igniterealtime.org/browse/SMACK-410"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59290"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59291"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/489228"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/67119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4487-5MJ9-G5R6

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-13T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.",
  "id": "GHSA-4487-5mj9-g5r6",
  "modified": "2022-05-24T17:47:30Z",
  "published": "2022-05-24T17:47:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3460"
    },
    {
      "type": "WEB",
      "url": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-44HQ-X6CH-XPG3

Vulnerability from github – Published: 2023-05-18 12:30 – Updated: 2023-05-18 12:30
VLAI
Details

Sensitive information disclosure and manipulation due to improper certification validation. The following products are affected: Acronis Agent (Windows) before build 29633, Acronis Cyber Protect 15 (Windows) before build 30984.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information disclosure and manipulation due to improper certification validation. The following products are affected: Acronis Agent (Windows) before build 29633, Acronis Cyber Protect 15 (Windows) before build 30984.",
  "id": "GHSA-44hq-x6ch-xpg3",
  "modified": "2023-05-18T12:30:15Z",
  "published": "2023-05-18T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45457"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-3957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-454W-5CF7-2XQX

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.
This bug only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox < 102.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. \u003cbr\u003e*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 102.",
  "id": "GHSA-454w-5cf7-2xqx",
  "modified": "2025-04-15T21:31:25Z",
  "published": "2022-12-22T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34469"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1721220"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-45GG-VH54-H5M9

Vulnerability from github – Published: 2026-06-25 22:14 – Updated: 2026-07-17 15:32
VLAI
Summary
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
Details

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.52.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T22:14:38Z",
    "nvd_published_at": "2026-05-22T04:16:22Z",
    "severity": "MODERATE"
  },
  "details": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.",
  "id": "GHSA-45gg-vh54-h5m9",
  "modified": "2026-07-17T15:32:12Z",
  "published": "2026-06-25T22:14:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26546"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40119"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40262"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40945"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40969"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40972"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40974"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:41019"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:41031"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:41036"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:41066"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"
    },
    {
      "type": "PACKAGE",
      "url": "https://cs.opensource.google/go/x/crypto"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/781621"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/79562"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-5014"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39828.json"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26547"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36105"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36167"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36207"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36319"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36625"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36648"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36651"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36796"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36797"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36808"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37268"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37271"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37272"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37278"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37286"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37296"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37387"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:40118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions"
}

GHSA-45Q2-F3RM-5R6V

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-02-02 18:30
VLAI
Details

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the \"Leaf and Chain\" OCSP policy implementation in JSS\u0027 CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.",
  "id": "GHSA-45q2-f3rm-5r6v",
  "modified": "2023-02-02T18:30:50Z",
  "published": "2022-05-24T16:58:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14823"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3067"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3225"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2019-14823"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1747435"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-465W-GG5P-85C9

Vulnerability from github – Published: 2021-05-18 21:09 – Updated: 2021-05-18 20:45
VLAI
Summary
Insufficient Session Expiration in Kiali
Details

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kiali/kiali"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "1.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T20:45:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.",
  "id": "GHSA-465w-gg5p-85c9",
  "modified": "2021-05-18T20:45:55Z",
  "published": "2021-05-18T21:09:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/c91a0949683976f621cca213c1193831d63b381c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810387"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
    },
    {
      "type": "WEB",
      "url": "https://kiali.io/news/security-bulletins/kiali-security-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Kiali"
}

GHSA-468W-8X39-GJ5V

Vulnerability from github – Published: 2022-12-08 16:11 – Updated: 2022-12-12 22:26
VLAI
Summary
Traefik routes exposed with an empty TLSOption
Details

Impact

There is a potential vulnerability in Traefik managing the TLS connections.

A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption.

For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.

Patches

https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Check the logs to detect the following error messages and fix your TLS options:

  • Empty CA:
{"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}
  • Bad CA content (or bad path):
{"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"}
  • Unknown Client Auth Type:
{"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@file"}
  • Invalid cipherSuites
{"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}
  • Invalid curvePreferences
{"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"}

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-08T16:11:12Z",
    "nvd_published_at": "2022-12-08T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the TLS connections.\n\nA router configured with a not well-formatted [TLSOption](https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options) is exposed with an empty TLSOption.\n\nFor instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.\n\n## Patches\n\nhttps://github.com/traefik/traefik/releases/tag/v2.9.6\n\n## Workarounds\n\nCheck the logs to detect the following error messages and fix your TLS options:\n\n- Empty CA:\n\n```\n{\"level\":\"error\",\"msg\":\"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required\",\"routerName\":\"Router0@file\"}\n```\n\n- Bad CA content (or bad path):\n\n```\n{\"level\":\"error\",\"msg\":\"invalid certificate(s) content\",\"routerName\":\"Router0@file\"}\n```\n\n- Unknown Client Auth Type:\n\n```\n{\"level\":\"error\",\"msg\":\"unknown client auth type \\\"FooClientAuthType\\\"\",\"routerName\":\"Router0@file\"}\n```\n\n- Invalid cipherSuites\n\n```\n{\"level\":\"error\",\"msg\":\"invalid CipherSuite: foobar\",\"routerName\":\"Router0@file\"}\n```\n\n- Invalid curvePreferences\n\n```\n{\"level\":\"error\",\"msg\":\"invalid CurveID in curvePreferences: foobar\",\"routerName\":\"Router0@file\"}\n``` \n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
  "id": "GHSA-468w-8x39-gj5v",
  "modified": "2022-12-12T22:26:28Z",
  "published": "2022-12-08T16:11:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-468w-8x39-gj5v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/7e3fe48b80083b41e9ff82a474a36484cabc701a"
    },
    {
      "type": "WEB",
      "url": "https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik routes exposed with an empty TLSOption"
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.