PT-2023-27207 · Unknown · Uthenticode

Name of the Vulnerable Software and Affected Versions: uthenticode versions prior to 2.x Description: The issue concerns uthenticode, a library for partially verifying Authenticode digital signatures. It does not check Extended Key Usages in certificates, which is against the Authenticode X.509...

GHSA-JJGP-WHRP-GQ8M in-toto: PGP trust model not (fully) considered

Impact This security advisory lists multiple concerns about how in-toto uses PGP keys. The findings are aggregated here, because they are all eligible to the same mitigation strategy. Note that the findings are rated with different severities see inline and the highest score was chosen for this...

PT-2023-33040 · Gnupg +1 · Gnupg +1

Name of the Vulnerable Software and Affected Versions: in-toto affected versions not specified Description: The issue concerns how in-toto uses PGP keys, specifically with regards to the validation of key creation time, consideration of key revocation, and checking of key usage flags. An attacker...

SUSE CVE-2013-5606

The CERTVerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services NSS 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access...

SUSE CVE-2020-14039

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements if VerifyOptions.Roots equals nil and the installation is on Windows. Thus, X.509 certificate verification is incomplete...

SUSE CVE-2020-15025

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service memory consumption by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file...

PT-2022-15012 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy affected versions not specified Description: The issue concerns Envoy, an open source edge and service proxy designed for cloud-native applications. In affected versions, Envoy does not restrict the set of certificates it accepts from t...

Improper Certificate Validation

Overview std/crypto/x509 is a Go standard library package std/crypto/x509 Affected versions of this package are vulnerable to Improper Certificate Validation. Go Vulnerability Report: On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in...

In Go before 1.13.13 and 1.14.x before 1.14.5 Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus X.509 certificate verification is incomplete.

...

AZL-79080 CVE-2020-14039 affecting package golang 1.25.7-1

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements if VerifyOptions.Roots equals nil and the installation is on Windows. Thus, X.509 certificate verification is incomplete...

Design/Logic Flaw

Wrong public key usage from existing oemkeystore for hash generation in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905,...

Certain HTTPS sites cannot be opened in Firefox after you install update 2965142 in Windows 8.1 or Windows RT 8.1

Certain HTTPS sites cannot be opened in Firefox after you install update 2965142 in Windows 8.1 or Windows RT 8.1 This article describes an update for Microsoft Family Safety. Prior to installing this update, Windows Update will verify that mandatory update 2919355 has been installed on your...

CVE-2020-11500

Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key...

CVE-2019-16992

The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user's private key to sign a certain cryptocurrency attestation that an address at keybase.io can be used for Stellar payments to the user, which might be incompatible with a user's personal position on...

Oracle Linux 7 : pki-core (ELSA-2018-1979)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2018-1979 advisory. - Bugzilla Bug 1589307 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access rhel-7.5.z ftweedal, c...

krb5: Authentication bypass by improper validation of certificate EKU and SAN

An authentication bypass flaw was found in the way krb5's certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances...

UBUNTU-CVE-2016-9575

Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary...

CVE-2016-9575

Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary...

DEBIAN-CVE-2016-9575

Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary...

CVE-2016-9575

Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary...