Total
1173 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3898 | 1 Motorola | 2 Device Help, Ready For | 2024-11-21 | 6.8 Medium |
| Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. | ||||
| CVE-2021-3698 | 2 Cockpit-project, Redhat | 2 Cockpit, Enterprise Linux | 2024-11-21 | 7.5 High |
| A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2021-3636 | 1 Redhat | 1 Openshift | 2024-11-21 | 4.6 Medium |
| It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service. | ||||
| CVE-2021-3618 | 5 Debian, F5, Fedoraproject and 2 more | 5 Debian Linux, Nginx, Fedora and 2 more | 2024-11-21 | 7.4 High |
| ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. | ||||
| CVE-2021-3547 | 1 Openvpn | 1 Openvpn | 2024-11-21 | 7.4 High |
| OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration. | ||||
| CVE-2021-3460 | 1 Motorola | 2 Mh702x, Mh702x Firmware | 2024-11-21 | 8.1 High |
| The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker. | ||||
| CVE-2021-3450 | 11 Fedoraproject, Freebsd, Mcafee and 8 more | 39 Fedora, Freebsd, Web Gateway and 36 more | 2024-11-21 | 7.4 High |
| The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). | ||||
| CVE-2021-3406 | 2 Fedoraproject, Keylime | 2 Fedora, Keylime | 2024-11-21 | 9.8 Critical |
| A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations. | ||||
| CVE-2021-3336 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 8.1 High |
| DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. | ||||
| CVE-2021-3309 | 1 Wekan Project | 1 Wekan | 2024-11-21 | 8.1 High |
| packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store, | ||||
| CVE-2021-3285 | 1 Ti | 1 Code Composer Studio Intgrated Development Environment | 2024-11-21 | 5.3 Medium |
| jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS. | ||||
| CVE-2021-3162 | 2 Apple, Docker | 2 Macos, Docker | 2024-11-21 | 7.8 High |
| Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. | ||||
| CVE-2021-39365 | 3 Debian, Gnome, Redhat | 3 Debian Linux, Grilo, Enterprise Linux | 2024-11-21 | 5.9 Medium |
| In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | ||||
| CVE-2021-39361 | 1 Gnome | 1 Evolution-rss | 2024-11-21 | 5.9 Medium |
| In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | ||||
| CVE-2021-39360 | 2 Fedoraproject, Gnome | 2 Fedora, Libzapojit | 2024-11-21 | 5.9 Medium |
| In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | ||||
| CVE-2021-39359 | 2 Fedoraproject, Gnome | 2 Fedora, Libgda | 2024-11-21 | 5.9 Medium |
| In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | ||||
| CVE-2021-39358 | 3 Fedoraproject, Gnome, Redhat | 3 Fedora, Libgfbgraph, Enterprise Linux | 2024-11-21 | 5.9 Medium |
| In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | ||||
| CVE-2021-38864 | 1 Ibm | 1 Security Verify Bridge | 2024-11-21 | 7.5 High |
| IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation. IBM X-Force ID: 208155. | ||||
| CVE-2021-37698 | 2 Debian, Icinga | 2 Debian Linux, Icinga | 2024-11-21 | 7.5 High |
| Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading. | ||||
| CVE-2021-37219 | 1 Hashicorp | 1 Consul | 2024-11-21 | 8.8 High |
| HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | ||||