Total
1136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3182 | 1 Threatmetrix | 1 Threatmetrix Sdk | 2024-11-21 | 4.3 MEDIUM | 6.8 MEDIUM |
| On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity capabilities. The ThreatMetrix SDK versions prior to 3.2 do not validate SSL certificates on the iOS platform. An affected application will communicate with https://h-sdk.online-metrix.net, regardless of whether the connection is secure or not. An attacker on the same network as or upstream from the iOS device may be able to view or modify ThreatMetrix network traffic that should have been protected by HTTPS. | |||||
| CVE-2017-2836 | 2 Debian, Freerdp | 2 Debian Linux, Freerdp | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability. | |||||
| CVE-2017-2649 | 1 Jenkins | 1 Active Directory | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. | |||||
| CVE-2017-2648 | 1 Jenkins | 1 Ssh Slaves | 2024-11-21 | 6.8 MEDIUM | 6.8 MEDIUM |
| It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks. | |||||
| CVE-2017-2639 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. | |||||
| CVE-2017-2629 | 1 Haxx | 1 Curl | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status). | |||||
| CVE-2017-2623 | 2 Redhat, Rpm-ostree | 3 Enterprise Linux, Rpm-ostree, Rpm-ostree-client | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. | |||||
| CVE-2017-1622 | 1 Ibm | 1 Qradar Incident Forensics | 2024-11-21 | 5.8 MEDIUM | 3.7 LOW |
| IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-force ID: 133120. | |||||
| CVE-2017-1265 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740. | |||||
| CVE-2017-1200 | 1 Ibm | 1 Bigfix Compliance | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not validate, or incorrectly validates, a certificate.This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. IBM X-Force ID: 123675. | |||||
| CVE-2017-18918 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. | |||||
| CVE-2017-18911 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. | |||||
| CVE-2017-18909 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | |||||
| CVE-2017-18588 | 1 Security-framework Project | 1 Security-framework | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the security-framework crate before 0.1.12 for Rust. Hostname verification for certificates does not occur if ClientBuilder uses custom root certificates. | |||||
| CVE-2017-18479 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209). | |||||
| CVE-2017-18227 | 1 Titanhq | 1 Webtitan Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| TitanHQ WebTitan Gateway has incorrect certificate validation for the TLS interception feature. | |||||
| CVE-2017-17945 | 1 Asus | 2 Hivivo, Vivobaby | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation. | |||||
| CVE-2017-17944 | 1 Asus | 2 Hivivo, Vivobaby | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation. | |||||
| CVE-2017-17455 | 1 Mahara | 1 Mahara | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present. | |||||
| CVE-2017-17301 | 1 Huawei | 56 Ar120-s, Ar120-s Firmware, Ar1200 and 53 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR1200 V200R005C20, V200R005C32, V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, AR1200-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR150 V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, AR160 V200R005C32, V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, AR200 V200R005C32, V200R006C10, V200R007C00, V200R007C01, V200R008C20, AR200-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR2200 V200R005C20, V200R005C32, V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, AR2200-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR3200 V200R005C32, V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30, AR3600 V200R006C10, V200R007C00, V200R007C01, V200R008C20, AR510 V200R005C32, V200R006C10, V200R007C00, V200R008C20, CloudEngine 12800 V100R003C00, V100R003C10, V100R005C00, V100R005C10, V100R006C00, V200R001C00, CloudEngine 5800 V100R003C00, V100R003C10, V100R005C00, V100R005C10, V100R006C00, V200R001C00, CloudEngine 6800 V100R003C00, V100R003C10, V100R005C00, V100R005C10, V100R006C00, V200R001C00, CloudEngine 7800 V100R003C00, V100R003C10, V100R005C00, V100R005C10, V100R006C00, V200R001C00, DP300 V500R002C00, SMC2.0 V100R003C10, V100R005C00, V500R002C00, SRG1300 V200R005C32, V200R006C10, V200R007C00, V200R007C02, V200R008C20, SRG2300 V200R005C32, V200R006C10, V200R007C00, V200R007C02, V200R008C20, SRG3300 V200R005C32, V200R006C10, V200R007C00, V200R008C20, TE30 V100R001C10, TE60 V100R003C00, V500R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, ViewPoint 8660 V100R008C02, V100R008C03, eSpace IAD V300R002C01, eSpace U1981 V200R003C20, V200R003C30, eSpace USM V100R001C01, V300R001C00 have a weak cryptography vulnerability. Due to not properly some values in the certificates, an unauthenticated remote attacker could forges a specific RSA certificate and exploits the vulnerability to pass identity authentication and logs into the target device to obtain permissions configured for the specific user name. | |||||