Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-11242

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-12 Jul, 2019 | 19:04
Updated At-04 Aug, 2024 | 22:48
Rejected At-
Credits

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter. This vulnerability could expose Cohesity user credentials configured to access vCenter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:12 Jul, 2019 | 19:04
Updated At:04 Aug, 2024 | 22:48
Rejected At:
▼CVE Numbering Authority (CNA)

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter. This vulnerability could expose Cohesity user credentials configured to access vCenter.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/cohesity/SecAdvisory/blob/master/README.md
x_refsource_CONFIRM
Hyperlink: https://github.com/cohesity/SecAdvisory/blob/master/README.md
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/cohesity/SecAdvisory/blob/master/README.md
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/cohesity/SecAdvisory/blob/master/README.md
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:12 Jul, 2019 | 20:15
Updated At:17 Jul, 2019 | 18:39

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter. This vulnerability could expose Cohesity user credentials configured to access vCenter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.08.1HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.0
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CPE Matches
Cohesity, Inc.
cohesity
>>dataplatform>>Versions from 5.0(inclusive) to 6.1.1c(exclusive)
cpe:2.3:a:cohesity:dataplatform:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-295Primarynvd@nist.gov
CWE ID: CWE-295
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cohesity/SecAdvisory/blob/master/README.mdcve@mitre.org
Third Party Advisory
Hyperlink: https://github.com/cohesity/SecAdvisory/blob/master/README.md
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

230Records found
CVE-2021-27189
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.27% / 49.75%
||
7 Day CHG~0.00%
Published-22 Feb, 2021 | 23:16
Updated-03 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CIRA Canadian Shield app before 4.0.13 for iOS lacks SSL Certificate Validation.

Action-Not Available
Vendor-ciran/a
Product-canadian_shieldn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-7778
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.67% / 70.34%
||
7 Day CHG~0.00%
Published-10 Oct, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks.

Action-Not Available
Vendor-gurunavin/a
Product-gournavin/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-27768
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-6.3||MEDIUM
EPSS-0.09% / 27.20%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 21:25
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An SSL certificate host verification vulnerability affects HCL Verse for Android

Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-verseVerse for Android
CWE ID-CWE-300
Channel Accessible by Non-Endpoint
CWE ID-CWE-295
Improper Certificate Validation
CVE-2017-5916
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 31.90%
||
7 Day CHG~0.00%
Published-05 May, 2017 | 07:04
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The America's First Federal Credit Union (FCU) Mobile Banking app 3.1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Action-Not Available
Vendor-america\'s_first_federal_credit_unionn/a
Product-america\'s_first_fcu_mobile_bankingn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-23167
Matching Score-4
Assigner-Gallagher Group Ltd.
ShareView Details
Matching Score-4
Assigner-Gallagher Group Ltd.
CVSS Score-8.1||HIGH
EPSS-0.10% / 28.59%
||
7 Day CHG~0.00%
Published-18 Nov, 2021 | 18:00
Updated-17 Sep, 2024 | 02:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper certificate validation vulnerability in SMTP Client allows man-in-the-middle attack to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3); 8.40 versions prior to 8.40.2063 (MR4); 8.30 versions prior to 8.30.1454 (MR4) ; version 8.20 and prior versions.

Action-Not Available
Vendor-Gallagher Group Ltd.
Product-command_centreCommand Centre
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-23155
Matching Score-4
Assigner-Gallagher Group Ltd.
ShareView Details
Matching Score-4
Assigner-Gallagher Group Ltd.
CVSS Score-9||CRITICAL
EPSS-0.13% / 33.14%
||
7 Day CHG~0.00%
Published-18 Nov, 2021 | 17:58
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper validation of the cloud certificate chain in Mobile Client allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Client for Android 8.60 versions prior to 8.60.065; version 8.50 and prior versions.

Action-Not Available
Vendor-Gallagher Group Ltd.
Product-command_centre_mobile_clientCommand Centre Mobile Client for Android
CWE ID-CWE-296
Improper Following of a Certificate's Chain of Trust
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-10381
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.10%
||
7 Day CHG~0.00%
Published-07 Aug, 2019 | 14:20
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

Action-Not Available
Vendor-Jenkins
Product-codefresh_integrationJenkins Codefresh Integration Plugin
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-10314
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 12:25
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

Action-Not Available
Vendor-Jenkins
Product-kojiJenkins Koji Plugin
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-10317
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 12:25
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

Action-Not Available
Vendor-Jenkins
Product-sitemonitorJenkins SiteMonitor Plugin
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-7785
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.30% / 52.92%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GANMA! App for iOS does not verify SSL certificates.

Action-Not Available
Vendor-comicsmartn/a
Product-ganma\!n/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-6827
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.49% / 64.69%
||
7 Day CHG-0.03%
Published-09 Feb, 2018 | 15:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option.

Action-Not Available
Vendor-omninovan/a
Product-vobot_firmwarevobotn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2014-7242
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.26% / 48.79%
||
7 Day CHG~0.00%
Published-18 Oct, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates.

Action-Not Available
Vendor-ms-insn/a
Product-sumahosumaho_driving_capability_diagnosisn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-5258
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.23% / 45.82%
||
7 Day CHG~0.00%
Published-17 Jan, 2018 | 17:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.

Action-Not Available
Vendor-banconeonn/a
Product-neonn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-3927
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-6.8||MEDIUM
EPSS-0.37% / 58.12%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 15:00
Updated-16 Sep, 2024 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. When hubCore crashes, Google Breakpad is used to record minidumps, which are sent over an insecure HTTPS connection to the backtrace.io service, leading to the exposure of sensitive data. An attacker can impersonate the remote backtrace.io server in order to trigger this vulnerability.

Action-Not Available
Vendor-Samsung
Product-sth-eth-250sth-eth-250_firmwareSamsung
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-6358
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.97% / 82.77%
||
7 Day CHG~0.00%
Published-12 Oct, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation, aka Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-wap200wap200_firmwarespa400rv325rv120w_firmwarewap4410nwap4410n_firmwaresrw224p_firmwarerv180rv180w_firmwarewet200rv320_firmwarerv220wsrp520_firmwarerv320rv120wwap2000wrv210_firmwarewrv200rtp300wet200_firmwarerv315w_firmwarerv180wsrp520wrp500rtp300_firmwarewrv210wrvs4400nwap4400nsrp520-u_firmwarespa400_firmwarervs4000_firmwarepvc2300_firmwarerv315wrv325_firmwarewvc2300rv180_firmwaresrw224psrp520-uwrvs4400n_firmwarewrp500_firmwarervs4000rv220w_firmwarewvc2300_firmwarewap2000_firmwarepvc2300wap4400n_firmwarewrv200_firmwaren/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-5619
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.31% / 53.31%
||
7 Day CHG~0.00%
Published-09 Aug, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.

Action-Not Available
Vendor-n/aElasticsearch BV
Product-logstashn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-5263
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.30% / 52.65%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

Action-Not Available
Vendor-pulpprojectn/a
Product-pulpn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-5666
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.58% / 68.04%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and earlier does not verify SSL certificates.

Action-Not Available
Vendor-n/aANA (All Nippon Airways)
Product-all_nippon_airwaysn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-2318
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.29% / 78.84%
||
7 Day CHG~0.00%
Published-08 Jan, 2018 | 19:00
Updated-06 Aug, 2024 | 05:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue.

Action-Not Available
Vendor-mono-projectn/aDebian GNU/Linux
Product-debian_linuxmonon/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-2981
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.50% / 64.82%
||
7 Day CHG~0.00%
Published-12 Jan, 2018 | 17:00
Updated-06 Aug, 2024 | 05:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Action-Not Available
Vendor-yodobashin/a
Product-yodobashin/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-2943
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.30% / 52.92%
||
7 Day CHG~0.00%
Published-06 Sep, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Honda Moto LINC 1.6.1 does not verify SSL certificates.

Action-Not Available
Vendor-hondan/a
Product-moto_lincn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-0874
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.50% / 64.82%
||
7 Day CHG~0.00%
Published-26 Sep, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information from encrypted communications via a crafted certificate.

Action-Not Available
Vendor-okbn/aApple Inc.Google LLC
Product-iphone_ossmart_passbookandroidn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2015-0210
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.30% / 52.87%
||
7 Day CHG~0.00%
Published-28 Aug, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack.

Action-Not Available
Vendor-w1.fin/a
Product-wpa_supplicantn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-2460
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 35.09%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business One Android application, version 1.2, does not verify the certificate properly for HTTPS connection. This allows attacker to do MITM attack.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One Android application
CWE ID-CWE-295
Improper Certificate Validation
CVE-2020-14980
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 24.67%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 17:39
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-sophos_secure_emailn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2016-9952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-1.06% / 76.75%
||
7 Day CHG~0.00%
Published-12 Mar, 2018 | 21:00
Updated-07 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com."

Action-Not Available
Vendor-n/aMicrosoft CorporationCURL
Product-curlwindows_embedded_compactn/acurl
CWE ID-CWE-295
Improper Certificate Validation
CVE-2020-9488
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-3.7||LOW
EPSS-0.02% / 4.17%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 15:36
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Action-Not Available
Vendor-qosThe Apache Software FoundationDebian GNU/LinuxOracle Corporation
Product-retail_bulk_data_integrationpeoplesoft_enterprise_peopletoolsprimavera_unifierreload4jretail_assortment_planningstoragetek_acslspolicy_automationfinancial_services_retail_customer_analyticsfinancial_services_price_creation_and_discoverycommunications_eagle_ftp_table_base_retrievalcommunications_application_session_controllerinsurance_policy_administration_j2eepolicy_automation_for_mobile_devicesspatial_and_graphfinancial_services_analytical_applications_infrastructurecommunications_unified_inventory_managementretail_advanced_inventory_planningcommunications_services_gatekeeperretail_order_broker_cloud_serviceinsurance_insbridge_rating_and_underwritingretail_customer_management_and_segmentation_foundationretail_predictive_application_serverjd_edwards_world_securityinsurance_rules_palettecommunications_billing_and_revenue_managementcommunications_offline_mediation_controllerenterprise_manager_for_peoplesoftsiebel_apps_-_marketingsiebel_ui_frameworkflexcube_private_bankingretail_integration_busretail_eftlinkutilities_frameworkoracle_goldengate_application_adaptersfinancial_services_institutional_performance_analyticspolicy_automation_connector_for_siebelstoragetek_tape_analytics_sw_toolretail_insights_cloud_service_suiteweblogic_serverdebian_linuxhealth_sciences_information_managerflexcube_core_bankingretail_xstore_point_of_servicelog4jfinancial_services_market_risk_measurement_and_managementdata_integratorApache Log4j
CWE ID-CWE-295
Improper Certificate Validation
CVE-2020-5526
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 36.99%
||
7 Day CHG~0.00%
Published-31 Jan, 2020 | 03:35
Updated-04 Aug, 2024 | 08:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AWMS Mobile App for Android 2.0.0 to 2.0.5 and for iOS 2.0.0 to 2.0.8 does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Action-Not Available
Vendor-fujixeroxFuji Xerox Co.,Ltd.
Product-apeosware_management_suiteAWMS Mobile App
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-6702
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.76% / 72.36%
||
7 Day CHG~0.00%
Published-17 Mar, 2019 | 17:13
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MasterCard Qkr! app before 5.0.8 for iOS has Missing SSL Certificate Validation. NOTE: this CVE only applies to obsolete versions from 2016 or earlier.

Action-Not Available
Vendor-mastercardn/a
Product-qkr\!_with_masterpassn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2017-5914
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 31.90%
||
7 Day CHG~0.00%
Published-05 May, 2017 | 07:04
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The DOT IT Banque Zitouna app 2.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Action-Not Available
Vendor-dotit-corpn/a
Product-banque_zitounan/a
CWE ID-CWE-295
Improper Certificate Validation
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found