Total
1114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4654 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-ForceID: 170965. | |||||
| CVE-2019-4264 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtain sensitive information by spoofing a trusted entity using man in the middle techniques due to not validating or incorrectly validating a certificate. IBM X-Force ID: 160072. | |||||
| CVE-2019-4150 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| IBM Security Access Manager 9.0.1 through 9.0.6 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-Force ID: 158510. | |||||
| CVE-2019-3890 | 2 Gnome, Redhat | 2 Evolution-ews, Enterprise Linux | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. | |||||
| CVE-2019-3875 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. | |||||
| CVE-2019-3841 | 1 Kubevirt | 1 Containerized Data Importer | 2024-11-21 | 4.9 MEDIUM | 7.4 HIGH |
| Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-the-middle attacks between a container registry and the virt-cdi-component, leading to possible undetected tampering of trusted container image content. | |||||
| CVE-2019-3814 | 3 Canonical, Dovecot, Opensuse | 3 Ubuntu Linux, Dovecot, Leap | 2024-11-21 | 4.9 MEDIUM | 7.7 HIGH |
| It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. | |||||
| CVE-2019-3807 | 1 Powerdns | 1 Recursor | 2024-11-21 | 6.4 MEDIUM | 3.7 LOW |
| An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. | |||||
| CVE-2019-3777 | 1 Pivotal Software | 1 Application Service | 2024-11-21 | 5.0 MEDIUM | 8.0 HIGH |
| Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller | |||||
| CVE-2019-3762 | 1 Dell | 2 Emc Data Protection Central, Emc Integrated Data Protection Appliance | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by obtaining a CA signed certificate from Data Protection Central to impersonate a valid system to compromise the integrity of data. | |||||
| CVE-2019-3751 | 1 Dell | 1 Emc Enterprise Copy Data Management | 2024-11-21 | 5.8 MEDIUM | 6.4 MEDIUM |
| Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0, 2.1, and 3.0 contain a certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | |||||
| CVE-2019-3685 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 6.8 MEDIUM | 7.4 HIGH |
| Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary | |||||
| CVE-2019-20894 | 1 Traefik | 1 Traefik | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred. | |||||
| CVE-2019-20455 | 1 Globalpayments | 1 Php Sdk | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations. | |||||
| CVE-2019-1948 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data by using an invalid Secure Sockets Layer (SSL) certificate. The vulnerability is due to insufficient SSL certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted SSL certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. | |||||
| CVE-2019-1940 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection. An attacker could exploit this vulnerability by supplying a crafted X.509 certificate during the WSMA connection setup phase. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on WSMA connections to the affected software. At the time of publication, this vulnerability affected Cisco IND Software releases prior to 1.7. | |||||
| CVE-2019-1886 | 1 Cisco | 2 Asyncos, Web Security Appliance | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| A vulnerability in the HTTPS decryption feature of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation of Secure Sockets Layer (SSL) server certificates. An attacker could exploit this vulnerability by installing a malformed certificate in a web server and sending a request to it through the Cisco WSA. A successful exploit could allow the attacker to cause an unexpected restart of the proxy process on an affected device. | |||||
| CVE-2019-1859 | 1 Cisco | 228 Sf200-24, Sf200-24 Firmware, Sf200-24fp and 225 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Secure Shell (SSH) authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. An attacker could exploit this vulnerability by attempting to connect to the device via SSH. A successful exploit could allow the attacker to access the configuration as an administrative user if the default credentials are not changed. There are no workarounds available; however, if client-side certificate authentication is enabled, disable it and use strong password authentication. Client-side certificate authentication is disabled by default. | |||||
| CVE-2019-1757 | 1 Cisco | 2 Ios, Ios Xe | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. | |||||
| CVE-2019-1748 | 1 Cisco | 2 Ios, Ios Xe | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability exists because the affected software insufficiently validates certificates. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt and modify confidential information on user connections to the affected software. | |||||