CWE-297
AllowedImproper Validation of Certificate with Host Mismatch
Abstraction: Variant · Status: Incomplete
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
101 vulnerabilities reference this CWE, most recent first.
GHSA-R934-W73G-V4P8
Vulnerability from github – Published: 2025-04-29 21:31 – Updated: 2025-06-09 15:31Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.
Original Description
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-30T17:24:10Z",
"nvd_published_at": "2025-04-29T21:15:51Z",
"severity": "HIGH"
},
"details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.\n\n# Original Description\nA flaw was found in Keycloak. By setting a verification policy to \u0027ALL\u0027, the trust store certificate verification is skipped, which is unintended.",
"id": "GHSA-r934-w73g-v4p8",
"modified": "2025-06-09T15:31:36Z",
"published": "2025-04-29T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8672"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358834"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Keycloak hostname verification",
"withdrawn": "2025-04-30T17:24:10Z"
}
GHSA-RM7V-GQFG-P2WC
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-07-07 22:38The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "edu.internet2.middleware:shibboleth-identityprovider"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opensaml:opensaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3603"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T22:38:37Z",
"nvd_published_at": "2019-04-04T14:29:00Z",
"severity": "MODERATE"
},
"details": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"id": "GHSA-rm7v-gqfg-p2wc",
"modified": "2022-07-07T22:38:37Z",
"published": "2022-05-14T01:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3603"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"
},
{
"type": "WEB",
"url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java"
}
GHSA-RW69-WR48-W7PX
Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2023-12-01 00:31KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.
{
"affected": [],
"aliases": [
"CVE-2023-5909"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T22:15:10Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n",
"id": "GHSA-rw69-wr48-w7px",
"modified": "2023-12-01T00:31:00Z",
"published": "2023-12-01T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5909"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VC5P-V9HR-52MJ
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-19 22:08The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
- The attacker is able to intercept or redirect network traffic between the client and the log receiver.
- The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0-beta9"
},
{
"fixed": "2.25.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68161"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-19T22:08:02Z",
"nvd_published_at": "2025-12-18T21:15:57Z",
"severity": "MODERATE"
},
"details": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the [verifyHostName](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) configuration attribute or the [log4j2.sslVerifyHostName](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n * The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
"id": "GHSA-vc5p-v9hr-52mj",
"modified": "2025-12-19T22:08:02Z",
"published": "2025-12-18T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/pull/4002"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/commit/3b93748497e1adbbd027fda8a5e7268ec5d0d578"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx"
},
{
"type": "WEB",
"url": "https://logging.apache.org/cyclonedx/vdr.xml"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName"
},
{
"type": "WEB",
"url": "https://logging.apache.org/security.html#CVE-2025-68161"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/18/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Log4j does not verify the TLS hostname in its Socket Appender"
}
GHSA-VMVC-QPG6-JPWH
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-09-17 15:30An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.
{
"affected": [],
"aliases": [
"CVE-2025-46408"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:43Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.",
"id": "GHSA-vmvc-qpg6-jpwh",
"modified": "2025-09-17T15:30:26Z",
"published": "2025-09-15T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46408"
},
{
"type": "WEB",
"url": "https://github.com/shinyColumn/CVE-2025-46408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWH7-VXVP-9VMX
Vulnerability from github – Published: 2025-07-22 15:32 – Updated: 2026-06-05 18:31Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025.
{
"affected": [],
"aliases": [
"CVE-2025-4295"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T14:15:34Z",
"severity": "MODERATE"
},
"details": "Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025.",
"id": "GHSA-wwh7-vxvp-9vmx",
"modified": "2026-06-05T18:31:31Z",
"published": "2025-07-22T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4295"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0169"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0169"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X9Q2-9WF7-RMVQ
Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31Allow attackers to intercept or falsify data exchanges between the client and the server
{
"affected": [],
"aliases": [
"CVE-2024-2462"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T13:15:49Z",
"severity": null
},
"details": "Allow attackers to intercept or falsify data exchanges between the client \nand the server",
"id": "GHSA-x9q2-9wf7-rmvq",
"modified": "2024-06-11T15:31:13Z",
"published": "2024-06-11T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2462"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000198\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XCP8-J3HP-GGM2
Vulnerability from github – Published: 2022-05-17 01:21 – Updated: 2022-05-17 01:21PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 before 14.1X53-D40, 14.2 before 14.2R7, 15.1 before 15.1R4, 15.1X49 before 15.1X49-D20, 15.1X53 before 15.1X53-D60, and 16.1 before 16.1R1 allow remote attackers to bypass an intended certificate validation mechanism via a self-signed certificate with an Issuer name that matches a valid CA certificate enrolled in Junos.
{
"affected": [],
"aliases": [
"CVE-2016-1280"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-09T14:05:00Z",
"severity": "MODERATE"
},
"details": "PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 before 14.1X53-D40, 14.2 before 14.2R7, 15.1 before 15.1R4, 15.1X49 before 15.1X49-D20, 15.1X53 before 15.1X53-D60, and 16.1 before 16.1R1 allow remote attackers to bypass an intended certificate validation mechanism via a self-signed certificate with an Issuer name that matches a valid CA certificate enrolled in Junos.",
"id": "GHSA-xcp8-j3hp-ggm2",
"modified": "2022-05-17T01:21:44Z",
"published": "2022-05-17T01:21:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1280"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10755"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91761"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XP2H-P87P-622P
Vulnerability from github – Published: 2025-03-11 09:30 – Updated: 2025-03-11 15:30The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks.
{
"affected": [],
"aliases": [
"CVE-2025-2190"
],
"database_specific": {
"cwe_ids": [
"CWE-297",
"CWE-300"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T07:15:37Z",
"severity": "HIGH"
},
"details": "The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks.",
"id": "GHSA-xp2h-p87p-622p",
"modified": "2025-03-11T15:30:59Z",
"published": "2025-03-11T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2190"
},
{
"type": "WEB",
"url": "https://security.tecno.com/SRC/blogdetail/393?lang=en_US"
},
{
"type": "WEB",
"url": "https://security.tecno.com/SRC/securityUpdates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XP6F-P933-2GQG
Vulnerability from github – Published: 2026-02-12 18:30 – Updated: 2026-02-20 18:31Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
{
"affected": [],
"aliases": [
"CVE-2026-26214"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T16:16:17Z",
"severity": "CRITICAL"
},
"details": "Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.",
"id": "GHSA-xp6f-p933-2gqg",
"modified": "2026-02-20T18:31:26Z",
"published": "2026-02-12T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26214"
},
{
"type": "WEB",
"url": "https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-26214/CVE-2026-26214.md"
},
{
"type": "WEB",
"url": "https://github.com/XiaoMi/galaxy-fds-sdk-android"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/xiaomi-galaxy-fds-android-sdk-tls-hostname-verification-disabled-enables-mitm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
No CAPEC attack patterns related to this CWE.