ReportizFlow
Filtered by vendor
Subscriptions
Total
53 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-32868 | 2024-11-21 | 6.5 Medium | ||
| ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0. | ||||
| CVE-2024-2466 | 1 Redhat | 1 Jboss Core Services | 2024-11-21 | 6.5 Medium |
| libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). | ||||
| CVE-2024-2462 | 2024-11-21 | N/A | ||
| Allow attackers to intercept or falsify data exchanges between the client and the server | ||||
| CVE-2023-5909 | 4 Ge, Ptc, Rockwellautomation and 1 more | 8 Industrial Gateway Server, Keepserverex, Opc-aggregator and 5 more | 2024-11-21 | 7.5 High |
| KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. | ||||
| CVE-2023-34143 | 3 Hitachi, Linux, Microsoft | 3 Device Manager, Linux Kernel, Windows | 2024-11-21 | 5.6 Medium |
| Improper Validation of Certificate with Host Mismatch vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows Man in the Middle Attack.This issue affects Hitachi Device Manager: before 8.8.5-02. | ||||
| CVE-2023-24568 | 1 Dell | 1 Networker | 2024-11-21 | 5 Medium |
| Dell NetWorker, contains an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port which could disallow replacing CA signed certificates. | ||||
| CVE-2022-48308 | 1 Palantir | 1 Sls-logging | 2024-11-21 | 6.3 Medium |
| It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. | ||||
| CVE-2022-48307 | 1 Palantir | 1 Magritte-ftp | 2024-11-21 | 6.3 Medium |
| It was discovered that the Magritte-ftp was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. In the case of a successful man in the middle attack on magritte-ftp, an attacker would be able to read and modify network traffic such as authentication tokens or raw data entering a Palantir Foundry stack. | ||||
| CVE-2022-48306 | 1 Palantir | 1 Gotham Chat Irc | 2024-11-21 | 5.7 Medium |
| Improper Validation of Certificate with Host Mismatch vulnerability in Gotham Chat IRC helper of Palantir Gotham allows A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. This issue affects: Palantir Palantir Gotham Chat IRC helper versions prior to 30221005.210011.9242. | ||||
| CVE-2022-32153 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | 8.1 High |
| Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation. | ||||
| CVE-2022-29082 | 1 Dell | 1 Emc Networker | 2024-11-21 | 3.7 Low |
| Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates. | ||||
| CVE-2022-27890 | 1 Palantir | 1 Atlasdb | 2024-11-21 | 6.3 Medium |
| It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. In the case of AtlasDB, the vulnerability was mitigated by other network controls such as two-way TLS when deployed as part of a Palantir platform. Palantir still recommends upgrading to a non-vulnerable version out of an abundance of caution. | ||||
| CVE-2022-22305 | 1 Fortinet | 4 Fortianalyzer, Fortimanager, Fortios and 1 more | 2024-11-21 | 5.4 Medium |
| An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers. | ||||
| CVE-2021-33695 | 1 Sap | 1 Cloud Connector | 2024-11-21 | 9.1 Critical |
| Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. | ||||
| CVE-2021-21385 | 1 Mifos | 1 Mifos-mobile | 2024-11-21 | 8.8 High |
| Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62. | ||||
| CVE-2020-7942 | 2 Puppet, Redhat | 4 Puppet, Puppet Agent, Satellite and 1 more | 2024-11-21 | 6.5 Medium |
| Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19 | ||||
| CVE-2020-2252 | 2 Jenkins, Redhat | 2 Mailer, Openshift | 2024-11-21 | 4.8 Medium |
| Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. | ||||
| CVE-2020-1887 | 1 Linuxfoundation | 1 Osquery | 2024-11-21 | 9.1 Critical |
| Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to MITM osquery traffic in the absence of a configured root chain of trust. | ||||
| CVE-2020-1758 | 1 Redhat | 4 Jboss Single Sign On, Keycloak, Openstack and 1 more | 2024-11-21 | 5.3 Medium |
| A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. | ||||
| CVE-2020-15719 | 5 Mcafee, Openldap, Opensuse and 2 more | 5 Policy Auditor, Openldap, Leap and 2 more | 2024-11-21 | 4.2 Medium |
| libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. | ||||