CWE-297
AllowedImproper Validation of Certificate with Host Mismatch
Abstraction: Variant · Status: Incomplete
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
101 vulnerabilities reference this CWE, most recent first.
GHSA-GF47-QGG5-9G9Q
Vulnerability from github – Published: 2026-04-28 12:31 – Updated: 2026-07-09 15:32Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-41603"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T10:16:03Z",
"severity": "HIGH"
},
"details": "Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
"id": "GHSA-gf47-qgg5-9g9q",
"modified": "2026-07-09T15:32:00Z",
"published": "2026-04-28T12:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41603"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21769"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22423"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23345"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36882"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-41603"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463411"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41603.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GW55-JM4H-X339
Vulnerability from github – Published: 2020-05-08 18:54 – Updated: 2021-10-08 19:56The Java-WebSocket Client does not perform hostname verification.
- This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and an WebSocket server it's connecting to.
- TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client.
For more information see: CWE-297: Improper Validation of Certificate with Host Mismatch - https://cwe.mitre.org/data/definitions/297.html
Important note
The OWASP Dependency-Check (https://jeremylong.github.io/DependencyCheck/index.html) may report that a dependency of your project is affected by this security vulnerability, but you don't use this lib. This is caused by the fuzzy search in the OWASP implementation. Check out this issue (https://github.com/TooTallNate/Java-WebSocket/issues/1019#issuecomment-628507934) for more information and a way to suppress the warning.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.java-websocket:Java-WebSocket"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11050"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-08T18:54:10Z",
"nvd_published_at": "2020-05-07T21:15:00Z",
"severity": "HIGH"
},
"details": "The Java-WebSocket Client does not perform hostname verification.\n\n - This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and an WebSocket server it\u0027s connecting to.\n - TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client.\n\nFor more information see: CWE-297: Improper Validation of Certificate with Host Mismatch - https://cwe.mitre.org/data/definitions/297.html\n\n## Important note\n\nThe OWASP Dependency-Check (https://jeremylong.github.io/DependencyCheck/index.html) may report that a dependency of your project is affected by this security vulnerability, but you don\u0027t use this lib.\nThis is caused by the fuzzy search in the OWASP implementation.\nCheck out this issue (https://github.com/TooTallNate/Java-WebSocket/issues/1019#issuecomment-628507934) for more information and a way to suppress the warning.",
"id": "GHSA-gw55-jm4h-x339",
"modified": "2021-10-08T19:56:49Z",
"published": "2020-05-08T18:54:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11050"
},
{
"type": "PACKAGE",
"url": "https://github.com/TooTallNate/Java-WebSocket"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Validation of Certificate with Host Mismatch in Java-WebSocket"
}
GHSA-H83P-72JV-G7VP
Vulnerability from github – Published: 2024-08-31 00:31 – Updated: 2024-11-13 18:52A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.kroxylicious:kroxylicious-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8285"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-03T20:17:06Z",
"nvd_published_at": "2024-08-30T22:15:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
"id": "GHSA-h83p-72jv-g7vp",
"modified": "2024-11-13T18:52:35Z",
"published": "2024-08-31T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
},
{
"type": "WEB",
"url": "https://github.com/kroxylicious/kroxylicious/commit/8be1efcb0a2160fa3ad4cb0e5a27e60160774dce"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8285"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
},
{
"type": "PACKAGE",
"url": "https://github.com/kroxylicious/kroxylicious"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Missing hostname validation in Kroxylicious"
}
GHSA-H8VM-65GC-GW46
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.
{
"affected": [],
"aliases": [
"CVE-2024-38324"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T01:15:40Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.",
"id": "GHSA-h8vm-65gc-gw46",
"modified": "2024-09-25T03:30:35Z",
"published": "2024-09-25T03:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38324"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HW58-3793-42GG
Vulnerability from github – Published: 2025-04-30 17:24 – Updated: 2025-08-07 15:47A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3501"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-30T17:24:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. By setting a verification policy to \u0027ANY\u0027, the trust store certificate verification is skipped, which is unintended.",
"id": "GHSA-hw58-3793-42gg",
"modified": "2025-08-07T15:47:35Z",
"published": "2025-04-30T17:24:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-hw58-3793-42gg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/39350"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/39366"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/99ca24c832729075e04d8bc58666089268314272"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3501"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358834"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak hostname verification"
}
GHSA-JW9P-3GC4-84RW
Vulnerability from github – Published: 2024-09-03 15:30 – Updated: 2024-09-05 15:33Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
{
"affected": [],
"aliases": [
"CVE-2024-7346"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T15:15:16Z",
"severity": "HIGH"
},
"details": "Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.\u00a0 This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.\u00a0 The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.",
"id": "GHSA-jw9p-3gc4-84rw",
"modified": "2024-09-05T15:33:34Z",
"published": "2024-09-03T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7346"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Client-connections-using-default-TLS-certificates-from-OpenEdge-may-bypass-TLS-host-name-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX2C-R924-MWCC
Vulnerability from github – Published: 2025-06-18 15:31 – Updated: 2025-06-18 19:42The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.7.1"
},
"package": {
"ecosystem": "NuGet",
"name": "CouchbaseNetClient"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49015"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-18T19:42:25Z",
"nvd_published_at": "2025-06-18T14:15:44Z",
"severity": "MODERATE"
},
"details": "The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.",
"id": "GHSA-px2c-r924-mwcc",
"modified": "2025-06-18T19:42:25Z",
"published": "2025-06-18T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49015"
},
{
"type": "WEB",
"url": "https://github.com/couchbase/couchbase-net-client/commit/04d1679b2178f922036be6e595b3d91f972c5ba3"
},
{
"type": "WEB",
"url": "https://docs.couchbase.com/server/current/release-notes/relnotes.html"
},
{
"type": "WEB",
"url": "https://forums.couchbase.com/tags/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/couchbase/couchbase-net-client"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates"
}
GHSA-PXP5-G66H-WPV2
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-06 19:54Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:view26"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41244"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T13:30:36Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.",
"id": "GHSA-pxp5-g66h-wpv2",
"modified": "2022-12-06T19:54:53Z",
"published": "2022-09-22T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41244"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/view26-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing hostname validation in Jenkins View26 Test-Reporting Plugin"
}
GHSA-R4MC-2XRG-97HV
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
{
"affected": [],
"aliases": [
"CVE-2022-22305"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T12:15:08Z",
"severity": "MODERATE"
},
"details": "An improper certificate validation vulnerability [CWE-295] in\u00a0FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to\u00a0man-in-the-middle the communication between the listed products and some external peers.",
"id": "GHSA-r4mc-2xrg-97hv",
"modified": "2024-04-04T07:21:33Z",
"published": "2023-09-01T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22305"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-18-292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R53V-VM87-F72C
Vulnerability from github – Published: 2018-10-16 20:50 – Updated: 2024-03-01 20:29The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.axis:axis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "axis:axis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3596"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:53:43Z",
"nvd_published_at": "2014-08-27T00:55:00Z",
"severity": "MODERATE"
},
"details": "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.",
"id": "GHSA-r53v-vm87-f72c",
"modified": "2024-03-01T20:29:59Z",
"published": "2018-10-16T20:50:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3596"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227173427/http://www.securityfocus.com/bid/69295"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20160815194947/http://www.securitytracker.com/id/1030745"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/AXIS-2905"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95377"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129935"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2014-3596"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1010"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2014:1193"
},
{
"type": "WEB",
"url": "http://linux.oracle.com/errata/ELSA-2014-1193.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1193.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/20/2"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Validation of Certificates in apache axis"
}
Mitigation
Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
No CAPEC attack patterns related to this CWE.