Total
1220 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-29908 | 1 Fabasoft | 1 Fabasoft Cloud Enterprise Client | 2024-11-21 | 7.8 High |
| The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation. | ||||
| CVE-2022-29482 | 1 Dena | 1 Mobaoku-auction \& Flea Market | 2024-11-21 | 3.7 Low |
| 'Mobaoku-Auction&Flea Market' App for iOS versions prior to 5.5.16 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | ||||
| CVE-2022-29082 | 1 Dell | 1 Emc Networker | 2024-11-21 | 3.7 Low |
| Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates. | ||||
| CVE-2022-28352 | 1 Weechat | 1 Weechat | 2024-11-21 | 4.3 Medium |
| WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart. | ||||
| CVE-2022-28142 | 1 Jenkins | 1 Proxmox | 2024-11-21 | 7.5 High |
| Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues. | ||||
| CVE-2022-27820 | 1 Owasp | 1 Zed Attack Proxy | 2024-11-21 | 4.0 Medium |
| OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the TLS certificate chain of an HTTPS server. | ||||
| CVE-2022-27782 | 4 Debian, Haxx, Redhat and 1 more | 4 Debian Linux, Curl, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
| libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. | ||||
| CVE-2022-27536 | 2 Apple, Golang | 2 Macos, Go | 2024-11-21 | 7.5 High |
| Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. | ||||
| CVE-2022-26493 | 1 Drupal | 1 Saml Sp 2.0 Single Sign On | 2024-11-21 | 9.8 Critical |
| Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9. | ||||
| CVE-2022-26491 | 2 Debian, Pidgin | 2 Debian Linux, Pidgin | 2024-11-21 | 5.9 Medium |
| An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968. | ||||
| CVE-2022-26305 | 2 Libreoffice, Redhat | 2 Libreoffice, Enterprise Linux | 2024-11-21 | 7.5 High |
| An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. | ||||
| CVE-2022-25640 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 7.5 High |
| In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate. | ||||
| CVE-2022-25638 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 6.5 Medium |
| In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message. | ||||
| CVE-2022-25243 | 1 Hashicorp | 1 Vault | 2024-11-21 | 6.5 Medium |
| "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4. | ||||
| CVE-2022-24968 | 1 Mellium | 1 Xmpp | 2024-11-21 | 5.9 Medium |
| In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification. | ||||
| CVE-2022-24320 | 1 Schneider-electric | 3 Clearscada, Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 | 2024-11-21 | 5.9 Medium |
| A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | ||||
| CVE-2022-24319 | 1 Schneider-electric | 3 Clearscada, Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 | 2024-11-21 | 5.9 Medium |
| A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | ||||
| CVE-2022-22946 | 2 Oracle, Vmware | 6 Commerce Guided Search, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Console and 3 more | 2024-11-21 | 5.5 Medium |
| In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates. | ||||
| CVE-2022-22885 | 1 Hutool | 1 Hutool | 2024-11-21 | 9.8 Critical |
| Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation. | ||||
| CVE-2022-22787 | 1 Zoom | 1 Meetings | 2024-11-21 | 5.9 Medium |
| The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting users client to connect to a malicious server when attempting to use Zoom services. | ||||