Total
1114 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-8020 | 2 Apache, Debian | 2 Tomcat Native, Debian Linux | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability. | |||||
CVE-2018-8019 | 2 Apache, Debian | 2 Tomcat Native, Debian Linux | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. | |||||
CVE-2018-7234 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow arbitrary system file download due to lack of validation of SSL certificate. | |||||
CVE-2018-6827 | 1 Omninova | 2 Vobot, Vobot Firmware | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option. | |||||
CVE-2018-6517 | 1 Puppet | 1 Chloride | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is updated so that the user's known_hosts file is not updated by chloride. | |||||
CVE-2018-6374 | 1 Pulsesecure | 1 Desktop Linux Client | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set. | |||||
CVE-2018-6221 | 1 Trendmicro | 1 Email Encryption Gateway | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
An unvalidated software update vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a man-in-the-middle attacker to tamper with an update file and inject their own. | |||||
CVE-2018-6219 | 1 Trendmicro | 1 Email Encryption Gateway | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data. | |||||
CVE-2018-5926 | 1 Hp | 1 Remote Graphics Software | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier. | |||||
CVE-2018-5761 | 1 Rubrik | 1 Cdm | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter as Rubrik clusters did not verify TLS certificates presented by vCenter. | |||||
CVE-2018-5502 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure. | |||||
CVE-2018-5466 | 1 Philips | 1 Intellispace Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a self-signed SSL certificate vulnerability this could allow an attacker to gain unauthorized access to resources and information. | |||||
CVE-2018-5464 | 1 Philips | 1 Intellispace Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an untrusted SSL certificate vulnerability this could allow an attacker to gain unauthorized access to resources and information. | |||||
CVE-2018-5462 | 1 Philips | 1 Intellispace Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an SSL incorrect hostname certificate vulnerability this could allow an attacker to gain unauthorized access to resources and information. | |||||
CVE-2018-5408 | 1 Printerlogic | 1 Print Management | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not validate, or incorrectly validates, the PrinterLogic management portal's SSL certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. | |||||
CVE-2018-5258 | 1 Banconeon | 1 Neon | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2018-4991 | 1 Adobe | 1 Creative Cloud | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlier have an exploitable Improper certificate validation vulnerability. Successful exploitation could lead to a security bypass. | |||||
CVE-2018-4849 | 1 Siemens | 1 Siveillance Vms Video | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
A vulnerability has been identified in Siveillance VMS Video for Android (All versions < V12.1a (2018 R1)), Siveillance VMS Video for iOS (All versions < V12.1a (2018 R1)). Improper certificate validation could allow an attacker in a privileged network position to read data from and write data to the encrypted communication channel between the app and a server. The security vulnerability could be exploited by an attacker in a privileged network position which allows intercepting the communication channel between the affected app and a server (such as Man-in-the-Middle). Furthermore, an attacker must be able to generate a certificate that results for the validation algorithm in a checksum identical to a trusted certificate. Successful exploitation requires no user interaction. The vulnerability could allow reading data from and writing data to the encrypted communication channel between the app and a server, impacting the communication's confidentiality and integrity. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue. | |||||
CVE-2018-4436 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
A certificate validation issue existed in configuration profiles. This was addressed with additional checks. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2. | |||||
CVE-2018-4086 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate validation via crafted name constraints. |