CWE-295
AllowedImproper Certificate Validation
Abstraction: Base · Status: Draft
The product does not validate, or incorrectly validates, a certificate.
1908 vulnerabilities reference this CWE, most recent first.
GHSA-42M9-F9C6-JJRJ
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:15An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1006"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-15T19:15:00Z",
"severity": "HIGH"
},
"details": "An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka \u0027WCF/WIF SAML Token Authentication Bypass Vulnerability\u0027.",
"id": "GHSA-42m9-f9c6-jjrj",
"modified": "2024-04-04T01:15:50Z",
"published": "2022-05-24T16:50:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1006"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43FF-RR26-8HX4
Vulnerability from github – Published: 2025-10-15 20:09 – Updated: 2025-10-15 20:09Impact
The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.
Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.
The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided.
Patches
Data Prepper 2.12.2
Workarounds
If you cannot immediately upgrade to the fixed version, you can implement the following workaround.
OpenSearch sink
Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.
sink:
- opensearch:
hosts: ["https://your-opensearch-cluster:9200"]
cert: /path/to/your/ca-certificate.pem
OpenSearch source
Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.
sink:
- opensearch:
hosts: ["https://your-opensearch-cluster:9200"]
connection:
cert: /path/to/your/ca-certificate.pem
References
N/A
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opensearch.dataprepper.plugins:opensearch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62371"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T20:09:53Z",
"nvd_published_at": "2025-10-15T18:15:39Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.\n\nPrior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.\n\nThe vulnerability affects connections to OpenSearch when the `cert` parameter is not explicitly provided.\n\n### Patches\n\nData Prepper 2.12.2\n\n### Workarounds\n\nIf you cannot immediately upgrade to the fixed version, you can implement the following workaround.\n\n#### OpenSearch sink\n\nAdd the `cert` parameter to your OpenSearch sink configuration with the path to your cluster\u0027s CA certificate. The following example shows how to accomplish this.\n\n```\nsink:\n - opensearch:\n hosts: [\"https://your-opensearch-cluster:9200\"]\n cert: /path/to/your/ca-certificate.pem\n```\n\n#### OpenSearch source\n\nAdd the `cert` parameter to your OpenSearch sink configuration with the path to your cluster\u0027s CA certificate. The following example shows how to accomplish this.\n\n```\nsink:\n - opensearch:\n hosts: [\"https://your-opensearch-cluster:9200\"]\n connection:\n cert: /path/to/your/ca-certificate.pem\n```\n\n\n### References\n\nN/A",
"id": "GHSA-43ff-rr26-8hx4",
"modified": "2025-10-15T20:09:53Z",
"published": "2025-10-15T20:09:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62371"
},
{
"type": "WEB",
"url": "https://github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99"
},
{
"type": "WEB",
"url": "https://github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599"
},
{
"type": "WEB",
"url": "https://github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56"
},
{
"type": "PACKAGE",
"url": "https://github.com/opensearch-project/data-prepper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenSearch Data Prepper plugins trust all SSL certificates by default"
}
GHSA-444R-2XR3-RXHV
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.
{
"affected": [],
"aliases": [
"CVE-2014-0363"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-30T10:49:00Z",
"severity": "MODERATE"
},
"details": "The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.",
"id": "GHSA-444r-2xr3-rxhv",
"modified": "2022-05-13T01:11:39Z",
"published": "2022-05-13T01:11:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0363"
},
{
"type": "WEB",
"url": "http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released"
},
{
"type": "WEB",
"url": "http://issues.igniterealtime.org/browse/SMACK-410"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/59290"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/59291"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/489228"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/67119"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4487-5MJ9-G5R6
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
{
"affected": [],
"aliases": [
"CVE-2021-3460"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T21:15:00Z",
"severity": "CRITICAL"
},
"details": "The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.",
"id": "GHSA-4487-5mj9-g5r6",
"modified": "2022-05-24T17:47:30Z",
"published": "2022-05-24T17:47:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3460"
},
{
"type": "WEB",
"url": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-44HQ-X6CH-XPG3
Vulnerability from github – Published: 2023-05-18 12:30 – Updated: 2023-05-18 12:30Sensitive information disclosure and manipulation due to improper certification validation. The following products are affected: Acronis Agent (Windows) before build 29633, Acronis Cyber Protect 15 (Windows) before build 30984.
{
"affected": [],
"aliases": [
"CVE-2022-45457"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-18T10:15:09Z",
"severity": "MODERATE"
},
"details": "Sensitive information disclosure and manipulation due to improper certification validation. The following products are affected: Acronis Agent (Windows) before build 29633, Acronis Cyber Protect 15 (Windows) before build 30984.",
"id": "GHSA-44hq-x6ch-xpg3",
"modified": "2023-05-18T12:30:15Z",
"published": "2023-05-18T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45457"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-454W-5CF7-2XQX
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.
This bug only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox < 102.
{
"affected": [],
"aliases": [
"CVE-2022-34469"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. \u003cbr\u003e*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 102.",
"id": "GHSA-454w-5cf7-2xqx",
"modified": "2025-04-15T21:31:25Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34469"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1721220"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45GG-VH54-H5M9
Vulnerability from github – Published: 2026-06-25 22:14 – Updated: 2026-07-17 15:32When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.52.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39828"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T22:14:38Z",
"nvd_published_at": "2026-05-22T04:16:22Z",
"severity": "MODERATE"
},
"details": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.",
"id": "GHSA-45gg-vh54-h5m9",
"modified": "2026-07-17T15:32:12Z",
"published": "2026-06-25T22:14:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40119"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40262"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40945"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40969"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40972"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40974"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:41019"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:41031"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:41036"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-39828"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"
},
{
"type": "PACKAGE",
"url": "https://cs.opensource.google/go/x/crypto"
},
{
"type": "WEB",
"url": "https://go.dev/cl/781621"
},
{
"type": "WEB",
"url": "https://go.dev/issue/79562"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-5014"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39828.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36105"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36167"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36207"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36648"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36796"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36797"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36808"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37272"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37278"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37286"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37296"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40118"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions"
}
GHSA-45Q2-F3RM-5R6V
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-02-02 18:30A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
{
"affected": [],
"aliases": [
"CVE-2019-14823"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-14T20:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the \"Leaf and Chain\" OCSP policy implementation in JSS\u0027 CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.",
"id": "GHSA-45q2-f3rm-5r6v",
"modified": "2023-02-02T18:30:50Z",
"published": "2022-05-24T16:58:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3067"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3225"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-14823"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1747435"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-465W-GG5P-85C9
Vulnerability from github – Published: 2021-05-18 21:09 – Updated: 2021-05-18 20:45An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kiali/kiali"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1762"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T20:45:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.",
"id": "GHSA-465w-gg5p-85c9",
"modified": "2021-05-18T20:45:55Z",
"published": "2021-05-18T21:09:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1762"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/c91a0949683976f621cca213c1193831d63b381c"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810387"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
},
{
"type": "WEB",
"url": "https://kiali.io/news/security-bulletins/kiali-security-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Kiali"
}
GHSA-468W-8X39-GJ5V
Vulnerability from github – Published: 2022-12-08 16:11 – Updated: 2022-12-12 22:26Impact
There is a potential vulnerability in Traefik managing the TLS connections.
A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption.
For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.
Patches
https://github.com/traefik/traefik/releases/tag/v2.9.6
Workarounds
Check the logs to detect the following error messages and fix your TLS options:
- Empty CA:
{"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}
- Bad CA content (or bad path):
{"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"}
- Unknown Client Auth Type:
{"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@file"}
- Invalid cipherSuites
{"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}
- Invalid curvePreferences
{"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"}
For more information
If you have any questions or comments about this advisory, please open an issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46153"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-08T16:11:12Z",
"nvd_published_at": "2022-12-08T22:15:00Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the TLS connections.\n\nA router configured with a not well-formatted [TLSOption](https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options) is exposed with an empty TLSOption.\n\nFor instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.\n\n## Patches\n\nhttps://github.com/traefik/traefik/releases/tag/v2.9.6\n\n## Workarounds\n\nCheck the logs to detect the following error messages and fix your TLS options:\n\n- Empty CA:\n\n```\n{\"level\":\"error\",\"msg\":\"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required\",\"routerName\":\"Router0@file\"}\n```\n\n- Bad CA content (or bad path):\n\n```\n{\"level\":\"error\",\"msg\":\"invalid certificate(s) content\",\"routerName\":\"Router0@file\"}\n```\n\n- Unknown Client Auth Type:\n\n```\n{\"level\":\"error\",\"msg\":\"unknown client auth type \\\"FooClientAuthType\\\"\",\"routerName\":\"Router0@file\"}\n```\n\n- Invalid cipherSuites\n\n```\n{\"level\":\"error\",\"msg\":\"invalid CipherSuite: foobar\",\"routerName\":\"Router0@file\"}\n```\n\n- Invalid curvePreferences\n\n```\n{\"level\":\"error\",\"msg\":\"invalid CurveID in curvePreferences: foobar\",\"routerName\":\"Router0@file\"}\n``` \n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
"id": "GHSA-468w-8x39-gj5v",
"modified": "2022-12-12T22:26:28Z",
"published": "2022-12-08T16:11:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-468w-8x39-gj5v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46153"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/commit/7e3fe48b80083b41e9ff82a474a36484cabc701a"
},
{
"type": "WEB",
"url": "https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.9.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Traefik routes exposed with an empty TLSOption"
}
Mitigation
Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.