Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-45597

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-24 Mar, 2023 | 00:00
Updated At-03 Aug, 2024 | 14:17
Rejected At-
Credits

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer (not the transport layer) and "Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates."

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:24 Mar, 2023 | 00:00
Updated At:03 Aug, 2024 | 14:17
Rejected At:
▼CVE Numbering Authority (CNA)

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer (not the transport layer) and "Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates."

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://componentspace.com
N/A
http://componentspacesaml2.com
N/A
https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf
N/A
Hyperlink: http://componentspace.com
Resource: N/A
Hyperlink: http://componentspacesaml2.com
Resource: N/A
Hyperlink: https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://componentspace.com
x_transferred
http://componentspacesaml2.com
x_transferred
https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf
x_transferred
Hyperlink: http://componentspace.com
Resource:
x_transferred
Hyperlink: http://componentspacesaml2.com
Resource:
x_transferred
Hyperlink: https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:24 Mar, 2023 | 23:15
Updated At:17 May, 2024 | 02:15

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer (not the transport layer) and "Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates."

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
componentspace
componentspace
>>saml>>4.4.0
cpe:2.3:a:componentspace:saml:4.4.0:*:*:*:*:asp.net:*:*
Weaknesses
CWE IDTypeSource
CWE-295Primarynvd@nist.gov
CWE ID: CWE-295
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://componentspace.comcve@mitre.org
Product
http://componentspacesaml2.comcve@mitre.org
Broken Link
https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdfcve@mitre.org
Release Notes
Hyperlink: http://componentspace.com
Source: cve@mitre.org
Resource:
Product
Hyperlink: http://componentspacesaml2.com
Source: cve@mitre.org
Resource:
Broken Link
Hyperlink: https://www.componentspace.com/documentation/saml-for-asp-net-core/ComponentSpace%20SAML%20for%20ASP.NET%20Core%20Release%20Notes.pdf
Source: cve@mitre.org
Resource:
Release Notes

Change History

0
Information is not available yet

Similar CVEs

60Records found
CVE-2020-24714
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.73%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 21:52
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, the openssl binary is called without the -verify_hostname option.

Action-Not Available
Vendor-scalyrn/a
Product-scalyr_agentn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2020-1952
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.65% / 81.27%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 16:16
Updated-04 Aug, 2024 | 06:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.

Action-Not Available
Vendor-The Apache Software Foundation
Product-iotdbIoTDB
CWE ID-CWE-295
Improper Certificate Validation
CVE-2022-21654
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.4||HIGH
EPSS-0.06% / 18.84%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:35
Updated-23 Apr, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

Action-Not Available
Vendor-envoyproxyenvoyproxy
Product-envoyenvoy
CWE ID-CWE-295
Improper Certificate Validation
CVE-2022-22885
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 68.98%
||
7 Day CHG~0.00%
Published-16 Feb, 2022 | 21:56
Updated-03 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.

Action-Not Available
Vendor-hutooln/a
Product-hutooln/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2020-12637
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.54%
||
7 Day CHG~0.00%
Published-09 May, 2020 | 16:23
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option.

Action-Not Available
Vendor-zulipchatn/a
Product-zulip_desktopn/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-43882
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9||CRITICAL
EPSS-0.58% / 67.84%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 14:15
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Defender for IoT Remote Code Execution Vulnerability

Microsoft Defender for IoT Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-defender_for_iotMicrosoft Defender for IoT
CWE ID-CWE-295
Improper Certificate Validation
CVE-2022-37437
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-7.4||HIGH
EPSS-0.26% / 48.97%
||
7 Day CHG-0.03%
Published-16 Aug, 2022 | 19:50
Updated-16 Sep, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation

When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. The vulnerability only affects connections between Splunk Enterprise and an Ingest Actions Destination through Splunk Web and only applies to environments that have configured TLS certificate validation. It does not apply to Destinations configured directly in the outputs.conf configuration file. The vulnerability affects Splunk Enterprise version 9.0.0 and does not affect versions below 9.0.0, including the 8.1.x and 8.2.x versions.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunkSplunk Enterprise
CWE ID-CWE-295
Improper Certificate Validation
CVE-2022-35898
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 26.28%
||
7 Day CHG~0.00%
Published-01 May, 2023 | 00:00
Updated-30 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenText BizManager before 16.6.0.1 does not perform proper validation during the change-password operation. This allows any authenticated user to change the password of any other user, including the Administrator account.

Action-Not Available
Vendor-n/aOpen Text Corporation
Product-bizmanagern/a
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-287
Improper Authentication
CVE-2024-49369
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-17.66% / 94.84%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 16:44
Updated-13 Nov, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

Action-Not Available
Vendor-Icingaicinga
Product-icinga2icinga_web_2
CWE ID-CWE-295
Improper Certificate Validation
CVE-2021-33907
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-9.8||CRITICAL
EPSS-4.39% / 88.55%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 13:55
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

Action-Not Available
Vendor-n/aZoom Communications, Inc.
Product-meetingsZoom Client for Meetings for Windows
CWE ID-CWE-295
Improper Certificate Validation
  • Previous
  • 1
  • 2
  • Next
Details not found